Malware Analysis Report

2024-10-10 13:00

Sample ID 240618-kf42ysvgrg
Target EXCheker.rar
SHA256 4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2
Tags
rat dcrat infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2

Threat Level: Known bad

The file EXCheker.rar was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer spyware stealer

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

DCRat payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 08:33

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 08:33

Reported

2024-06-18 08:36

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\ja-JP\6ccacd8608530f C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Sidebar\wininit.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Sidebar\56085415360792 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Uninstall Information\explorer.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Uninstall Information\7a0fd90576e088 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6ccacd8608530f C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\Idle.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Migration\WTR\7a0fd90576e088 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\Migration\WTR\explorer.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Migration\WTR\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Migration\WTR\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GECCO.EXE N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 1936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 1936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 1936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2028 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2756 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2756 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2756 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2572 wrote to memory of 1696 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\Migration\WTR\explorer.exe
PID 2572 wrote to memory of 1696 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\Migration\WTR\explorer.exe
PID 2572 wrote to memory of 1696 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\Migration\WTR\explorer.exe
PID 1696 wrote to memory of 2248 N/A C:\Windows\Migration\WTR\explorer.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 2248 N/A C:\Windows\Migration\WTR\explorer.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 2248 N/A C:\Windows\Migration\WTR\explorer.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 540 N/A C:\Windows\Migration\WTR\explorer.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 540 N/A C:\Windows\Migration\WTR\explorer.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 540 N/A C:\Windows\Migration\WTR\explorer.exe C:\Windows\System32\WScript.exe
PID 1696 wrote to memory of 536 N/A C:\Windows\Migration\WTR\explorer.exe C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
PID 1696 wrote to memory of 536 N/A C:\Windows\Migration\WTR\explorer.exe C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
PID 1696 wrote to memory of 536 N/A C:\Windows\Migration\WTR\explorer.exe C:\Users\Admin\AppData\Local\Temp\GECCO.EXE
PID 1696 wrote to memory of 536 N/A C:\Windows\Migration\WTR\explorer.exe C:\Users\Admin\AppData\Local\Temp\GECCO.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EXCheker.exe

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "

C:\bridgesurrogateAgentFont\AgentProvider.exe

"C:\bridgesurrogateAgentFont\AgentProvider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f

C:\Windows\Migration\WTR\explorer.exe

"C:\Windows\Migration\WTR\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dfd7088-2c43-4100-b39a-274b0bcc7e88.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c3a6dd8-929b-4e3e-8d71-b95106590b29.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\GECCO.EXE

"C:\Users\Admin\AppData\Local\Temp\GECCO.EXE"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.144.151:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.151:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.151:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.151:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.151:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.151:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.151:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.145.156:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.141:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.141:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp

Files

C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe

MD5 5f029eae663f2502df3464cd711d4347
SHA1 61c86dc92b67e65b7c85c64594ff97140b3168ce
SHA256 ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622
SHA512 f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c

C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat

MD5 d723af7383c6c7c9cfe4c51ebbe3b9c7
SHA1 db0c0c570da18e80fa176d6ac9a6f8f008238da7
SHA256 a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e
SHA512 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f

C:\bridgesurrogateAgentFont\AgentProvider.exe

MD5 b1130e50aedfd408e93334fce676f4ee
SHA1 f8e65fa8b009ac6369988b56b1fb456595f369bb
SHA256 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b
SHA512 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af

memory/2572-13-0x00000000003A0000-0x00000000004DC000-memory.dmp

memory/2572-14-0x0000000000330000-0x000000000034C000-memory.dmp

memory/2572-15-0x0000000000350000-0x0000000000366000-memory.dmp

memory/2572-16-0x0000000000370000-0x000000000037A000-memory.dmp

memory/2572-17-0x0000000000380000-0x0000000000388000-memory.dmp

memory/2572-18-0x0000000000390000-0x000000000039C000-memory.dmp

memory/1696-49-0x0000000000B20000-0x0000000000C5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9dfd7088-2c43-4100-b39a-274b0bcc7e88.vbs

MD5 c6e1442783fa075ab67af28aa788886e
SHA1 0b5bd9df544386350c4b6d8447a76c3b87aa586d
SHA256 403071fe1693c190a170a5eb190aedd59e64ff0fbf2dd8198bbce1aa5398ebbb
SHA512 abb2b4a3864c92bda7097331b3dbd0a040df5328e9e904429c5dd8db5dd5d7688ce85f769b20eb00be9893360a5252769012e02e87b94212632296f2cecd8e0a

C:\Users\Admin\AppData\Local\Temp\1c3a6dd8-929b-4e3e-8d71-b95106590b29.vbs

MD5 fa31ff4f32d59e40235bf2c1c04ebf07
SHA1 ab59b1c6e4104c05cbaa4c3b8af0432cc927ddd9
SHA256 17f96ba2ef462de2ea72a2360da6336e220eb265f7048f3335f74d31e314f282
SHA512 7c709665f11f5b2b91f82eef2504f8053ad88bb2246182eaa3b9e10bccba5c589969eb442ea26f0e46e2a80a11aff51ce1ab00d3b47e12615216845d37a798e9

C:\Users\Admin\AppData\Local\Temp\GECCO.EXE

MD5 42dd94809ad0c60480690c0ae0019ee8
SHA1 d578fb2fc7c0b08a8ebb375e920d3602a70a098d
SHA256 0040cd2d77e8f81db7414c284bf9828348d7b3a5a5322177fd9e8151fc00638f
SHA512 b8ba04feb9e2a6b15b017af6d2af55756987ac33de1c0740208ac09f402218ca585bbe0e6ce91b8aa50b0653fc8999473c1ed34c3b1a0d5e87b21ce35c19470b

memory/536-91-0x0000000000400000-0x000000000050F000-memory.dmp

memory/536-92-0x0000000000400000-0x000000000050F000-memory.dmp

memory/536-93-0x0000000000400000-0x000000000050F000-memory.dmp

memory/536-94-0x0000000000400000-0x000000000050F000-memory.dmp

memory/536-95-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2032-96-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2032-97-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 08:33

Reported

2024-06-18 08:36

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Common Files\Services\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EXCheker.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\69ddcba757bf72 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Uninstall Information\6cb0b6c459d5d3 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EXCheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\smss.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Uninstall Information\6cb0b6c459d5d3 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Common Files\Services\RuntimeBroker.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Common Files\Services\886983d96e3d3e C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Microsoft Office 15\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\7a0fd90576e088 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\smss.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\69ddcba757bf72 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Uninstall Information\dwm.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Common Files\Services\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\OfficeClickToRun.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Common Files\DESIGNER\121e5b5079f7c0 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Microsoft Office 15\RuntimeBroker.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\e6c9b481da804f C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Portable Devices\dwm.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Common Files\Services\csrss.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DiagTrack\Settings\5b884080fd4f94 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\AgentProvider.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\87d4071f03fa9f C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\ja-JP\RuntimeBroker.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\ja-JP\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\L2Schemas\TextInputHost.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\L2Schemas\22eafd247d37c3 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\DiagTrack\Settings\fontdrvhost.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\EXCheker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
N/A N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 3148 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 4984 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 1344 wrote to memory of 4460 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 1344 wrote to memory of 4460 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 4460 wrote to memory of 2376 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\System32\cmd.exe
PID 4460 wrote to memory of 2376 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\System32\cmd.exe
PID 2376 wrote to memory of 3960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2376 wrote to memory of 3960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2376 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 2376 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 2020 wrote to memory of 3128 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 3128 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 1684 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 1684 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 3128 wrote to memory of 4848 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 3128 wrote to memory of 4848 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 4848 wrote to memory of 724 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4848 wrote to memory of 724 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4848 wrote to memory of 3668 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4848 wrote to memory of 3668 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 724 wrote to memory of 4176 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 724 wrote to memory of 4176 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 4176 wrote to memory of 2924 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4176 wrote to memory of 2924 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4176 wrote to memory of 1384 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4176 wrote to memory of 1384 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 2924 wrote to memory of 552 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 2924 wrote to memory of 552 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 552 wrote to memory of 4904 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 552 wrote to memory of 4904 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 552 wrote to memory of 1400 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 552 wrote to memory of 1400 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4904 wrote to memory of 3304 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 4904 wrote to memory of 3304 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 3304 wrote to memory of 372 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 3304 wrote to memory of 372 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 3304 wrote to memory of 412 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 3304 wrote to memory of 412 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 372 wrote to memory of 4724 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 372 wrote to memory of 4724 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 4724 wrote to memory of 3800 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 3800 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 544 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 544 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 3800 wrote to memory of 2668 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 3800 wrote to memory of 2668 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 2668 wrote to memory of 4536 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 2668 wrote to memory of 4536 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 2668 wrote to memory of 4872 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 2668 wrote to memory of 4872 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4536 wrote to memory of 4780 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 4536 wrote to memory of 4780 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 4780 wrote to memory of 1496 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 1496 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 3980 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 3980 N/A C:\Program Files\Common Files\DESIGNER\sysmon.exe C:\Windows\System32\WScript.exe
PID 1496 wrote to memory of 4176 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe
PID 1496 wrote to memory of 4176 N/A C:\Windows\System32\WScript.exe C:\Program Files\Common Files\DESIGNER\sysmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\EXCheker.exe

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "

C:\bridgesurrogateAgentFont\AgentProvider.exe

"C:\bridgesurrogateAgentFont\AgentProvider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\bridgesurrogateAgentFont\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\bridgesurrogateAgentFont\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f

C:\bridgesurrogateAgentFont\AgentProvider.exe

"C:\bridgesurrogateAgentFont\AgentProvider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Settings\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Settings\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\bridgesurrogateAgentFont\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\bridgesurrogateAgentFont\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Pictures\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProviderA" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\AgentProvider.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProvider" /sc ONLOGON /tr "'C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\AgentProvider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProviderA" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\AgentProvider.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YkIhUEfdqs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\272b5457-e977-4289-910f-e0d43df25629.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b76a79b-2908-4ba2-aff9-93ccb0cee04e.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60accf01-42a2-4b2d-859f-edc63c1189a4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0950f7a8-ab65-4760-88b2-9886765466c1.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf69318-9cfd-4510-9741-1a9e77ed9686.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16b364d9-7a38-429d-9b21-5dff932936a2.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dd180d9-24e7-462c-a16a-09bb98dd5056.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c286e6a-45d8-4cbd-a81e-926d85c81448.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5940c224-8de8-46aa-bfd7-c3e7b61f9f26.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27f1c37e-a2d8-43e5-8cc4-8368042c806f.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b876ba43-ba84-40f4-ac92-7c5ac6c21a36.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b08f4f5-626a-4769-9857-ccbd9cd3b39f.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83b522b-3738-4774-a0a9-aee2181ddab7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39e9e43c-9623-445f-8209-688c727f894f.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ef1c718-f578-4b6e-98fd-9239568dbb88.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67a74c82-6749-40a9-8e9c-f2249b40d914.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d74856d8-d6c5-4839-b047-e7e3e1ea5fd5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f1d25c5-9fb9-465e-af39-a57fe20027ef.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cf28b3-221e-450f-a834-cc6507a67b29.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae743483-6b8e-448b-8a5a-624bea604bdb.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f02e6da9-d8d9-4074-aa20-e5005f6e62da.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8716f1c-d99f-4147-81b9-9263e5c5e6fa.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d991a093-9eed-4272-a150-62368c0fee90.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0f3ea79-0305-4211-8a04-04c6b9c549cb.vbs"

C:\Program Files\Common Files\DESIGNER\sysmon.exe

"C:\Program Files\Common Files\DESIGNER\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58558bf3-1d4e-4be1-8f8b-b3fdf9b334a1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55f06352-dede-4abb-9517-365696071c7a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp

Files

C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe

MD5 5f029eae663f2502df3464cd711d4347
SHA1 61c86dc92b67e65b7c85c64594ff97140b3168ce
SHA256 ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622
SHA512 f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c

C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat

MD5 d723af7383c6c7c9cfe4c51ebbe3b9c7
SHA1 db0c0c570da18e80fa176d6ac9a6f8f008238da7
SHA256 a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e
SHA512 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f

C:\bridgesurrogateAgentFont\AgentProvider.exe

MD5 b1130e50aedfd408e93334fce676f4ee
SHA1 f8e65fa8b009ac6369988b56b1fb456595f369bb
SHA256 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b
SHA512 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af

memory/1344-12-0x00007FF894923000-0x00007FF894925000-memory.dmp

memory/1344-13-0x00000000008B0000-0x00000000009EC000-memory.dmp

memory/1344-14-0x0000000001330000-0x000000000134C000-memory.dmp

memory/1344-15-0x000000001BC90000-0x000000001BCE0000-memory.dmp

memory/1344-16-0x000000001BB30000-0x000000001BB46000-memory.dmp

memory/1344-19-0x000000001BB60000-0x000000001BB6C000-memory.dmp

memory/1344-18-0x000000001BB50000-0x000000001BB58000-memory.dmp

memory/1344-17-0x000000001B610000-0x000000001B61A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentProvider.exe.log

MD5 7800fca2323a4130444c572374a030f4
SHA1 40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA256 29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512 c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

C:\Users\Admin\AppData\Local\Temp\YkIhUEfdqs.bat

MD5 69180c06bc225b6274759fa9a9373f1e
SHA1 a95f887ffc26fec3854b1292b19fc56b6abf6e1b
SHA256 7223a7655e3b8b67638af8a7593115734f450e322cb9e15b57054b29cf18cf5a
SHA512 4de97c56a367c43a9a8f0ff54dacb051c595b141cd1698b335d6c44bd9c72207f8315cdd9a93f30b9e43b49c1a126218521ad2100c9ce903aa8d213cd353f097

C:\Users\Admin\AppData\Local\Temp\272b5457-e977-4289-910f-e0d43df25629.vbs

MD5 9e18f9e7761210dd19069f42920b592a
SHA1 e050210a0c8160a5ad53636befdea4d8fb734de9
SHA256 3b3ee5acf6a43708083a95cd0b9019648ce7dce8983ad97d318e2d7c1dd6f563
SHA512 729665685fab96d8463ed6b19b163c270256ccf80621c27188504f6e279efa05eb170e118e4d2c31e0db0b74550d7cb8fdd000a1c130d63a135ae15b942653d6

C:\Users\Admin\AppData\Local\Temp\3b76a79b-2908-4ba2-aff9-93ccb0cee04e.vbs

MD5 a65c73e49cea18d9ba072b6594a538e9
SHA1 7efce4a830926144f8f13959e0ecea390e9bae5f
SHA256 df424cfe654093294dce0027524490653782059a0bca496e998670b9d06f5a76
SHA512 5dd5b77854c39fbbd42ae03166f61b345460c14bc044a7e5a4c6de84075220bf815bb39f0a2fe959607853ca773c684600192efd685531d07382ce908d897214

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

MD5 3ad9a5252966a3ab5b1b3222424717be
SHA1 5397522c86c74ddbfb2585b9613c794f4b4c3410
SHA256 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512 b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

C:\Users\Admin\AppData\Local\Temp\60accf01-42a2-4b2d-859f-edc63c1189a4.vbs

MD5 12fd69f7e7245639f487092d03a57bd0
SHA1 04a78292d76fe1dd3ba29cfdb836a6d26cdd3a60
SHA256 6dc4d1f90a7b7511ce513a6650759550ec03d32970cd12e4b2fad76e18b6ae15
SHA512 4865191242436cb4b1b2dc3e3140443cde3791f1f5c0643989b44a1fea2d132e989b79ecf810cae242e1f74efdd20e8c027fc9976a7a3c2751626e76f73f254f

C:\Users\Admin\AppData\Local\Temp\ddf69318-9cfd-4510-9741-1a9e77ed9686.vbs

MD5 97920642ff939b75f12760f1edf2f2b4
SHA1 34b8de1a432bd9d4f2c8f3c62e1d1d70d56a8ea6
SHA256 51bd0304e622557d0d8aa389433af217e2e1295c1adb126d93d069d40f3a74df
SHA512 d4049f9ea6273ab866444a63988044466df2177bc39bf2af9385403ad94a8e47e43e4e3f274becb7fc44aa83e48fcd001f9f3d8a0efe96cd8e662c8c2bce60e9

C:\Users\Admin\AppData\Local\Temp\3dd180d9-24e7-462c-a16a-09bb98dd5056.vbs

MD5 d5b7c1ad1d6ed1dc88a4f03dd6b3da76
SHA1 17f29502c7a0d3b6853cfa4db1120d97829f08b8
SHA256 1d7b23c4fd862fb77d1295945467170fbbb1b42d7a8666e387e126986a0c749e
SHA512 9fcb446ef81a4d2e7bd8dc12d1c54be8082662f7d27921b9468915b03ecd876f35c1c5d0e59370bee8bf44b46ec5ba735345adeb6dacbb3b1685df2e2743cfe4

C:\Users\Admin\AppData\Local\Temp\5940c224-8de8-46aa-bfd7-c3e7b61f9f26.vbs

MD5 824a5803d1fa7247d63ccc4fafbb4974
SHA1 0e69c83ebfcf576366119fee58c3cab4d2f45488
SHA256 15a3a26a22339ff0609b131531c2d38649791eeb6bc51adbfacdbb73dfb9863b
SHA512 c91e85b5d62d01732a90f21933dad4d838ba80dfe566fbabc1af1fe6566866864120eb0a539a8e109400838c1ea4a2b213bc5781e1b0629690bd1b2c1a355bf9

C:\Users\Admin\AppData\Local\Temp\b876ba43-ba84-40f4-ac92-7c5ac6c21a36.vbs

MD5 07f4bb81ae8a6c2d5b4bcc1a0a105799
SHA1 f17855438ae913cf9d7efebefc3f6a6f15971051
SHA256 717b5d28fcc1b0f6ee109a897fe3b2c7b77636691e438d2dbd029e26e9139110
SHA512 fba17f6ba71fb65d19cb225411d34dc4e618465343ed8a5cead05f03a6ad044d01037e713170108a5a0096fb34fa4417bcd91144dd7aa6db323b5ea1d1efe07d

C:\Users\Admin\AppData\Local\Temp\a83b522b-3738-4774-a0a9-aee2181ddab7.vbs

MD5 f59a232b6bbc394d122ac3fbd27cce9a
SHA1 d1224afa080c2c04af7b4d25149b218ad260210f
SHA256 70b19fd9363e1e39320779e62ae75a94abc6665c4a634005f9a57bbc68508314
SHA512 1fbfe37464984d6382eca11cedd9a5d65b4162cc41e009a5450dd5b1e84cdd50e5bba75c5320b361e6b01a881f5e8b9dffabddb0a2ed0d6ca4b8ad75a63f8a6e

C:\Users\Admin\AppData\Local\Temp\4ef1c718-f578-4b6e-98fd-9239568dbb88.vbs

MD5 ef909da2d5ea9cdb27d2b67a5557e1ff
SHA1 4a8e0d27e5abba91b5091f33dcf2dba069d49928
SHA256 46bcf327a42c87820be017f1c533bca06be1e11200362e58c2d16fd7b0cc3072
SHA512 de0fab844aa83ec1b34cd5ff006bb4c74350f7a55e58ab3d8d9137f1dec34ab4daf93b37b90fc856aea16b05ae602bdaae2d0c31bd875c1fd707261394920fd1

C:\Users\Admin\AppData\Local\Temp\77cf28b3-221e-450f-a834-cc6507a67b29.vbs

MD5 58f5c1be3e1c0fe2ea12d1ac9e23eee3
SHA1 cd0e2eb3d38ce89d206d4c2fb9f347662e5dc9df
SHA256 deecd2098f07b3ece4fb2e824e77e54f95046e3e762646a08da39ef61f18c438
SHA512 6f58fffbfaa6e400d1572ddd5e86a56b29267ac43166cbdfad65c87a7a968e9652b59e9b121010ffdc6a33ecf5578133691a7fda7c148b35e4d0b3e0f5367dbf

C:\Users\Admin\AppData\Local\Temp\f02e6da9-d8d9-4074-aa20-e5005f6e62da.vbs

MD5 3e7b1016110e4092717d76f7fbca8800
SHA1 79c6223bd5f6f4bb76946a7f8b83af3aaa963365
SHA256 da31b615c2cc38bf00de9ca7f41877c1ea1b5c61c34125f9cd4a0159f9a0c3b0
SHA512 db8de58c7232145713a4c0b96357a88a1e10fe7557ce0a0bcefe80eab333a997c470bed502519d78b1b6a96ba3b3223f925b5318b17d64d358d2b43d58901c39

C:\Users\Admin\AppData\Local\Temp\d991a093-9eed-4272-a150-62368c0fee90.vbs

MD5 c19610667d2b458b5a059eac97f47cdd
SHA1 956b879a65613a49387e1f8f3549d079676cb4df
SHA256 b3c88845c18158a6fdccb27f078df16f6c5585ad7277ba348862aa7ae14fbe13
SHA512 6a1271c47897e7ed2a86a1acfe3afc09ddc616ac25aedc92ad686ff2c7c295554b8209a80ce269ca6679b9052b8fb19fddbb90607579f2b87a052224224ed382

C:\Users\Admin\AppData\Local\Temp\58558bf3-1d4e-4be1-8f8b-b3fdf9b334a1.vbs

MD5 a399a14e50f15112192e52d6606f64b5
SHA1 107e09730b3207319389a573d1620e88d16a4b3e
SHA256 37203b4a1a26dcba242187c3bf21b2dcc0564cb18b0048f9c06ecf34f3ffa7dd
SHA512 2ec3fba5d83476a8e503df92300c105da61ce91e5ad3d708b60d242e327a4dc9e921fbba898dc1a7b3959cc6cfd493bb8ea378242d48886e4c789ca6304a3bde