Malware Analysis Report

2024-10-10 13:01

Sample ID 240618-knyvxawbqg
Target EXCheker.rar
SHA256 4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2

Threat Level: Known bad

The file EXCheker.rar was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DCRat payload

DcRat

Process spawned unexpected child process

DCRat payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 08:45

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 08:45

Reported

2024-06-18 08:48

Platform

win7-20231129-en

Max time kernel

126s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\Windows\TAPI\taskhost.exe N/A
N/A N/A C:\Windows\TAPI\taskhost.exe N/A
N/A N/A C:\Windows\TAPI\taskhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ja-JP\AgentProvider.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\ja-JP\87d4071f03fa9f C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\TAPI\taskhost.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\TAPI\b75386f1303e64 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\schemas\winlogon.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\schemas\cc11b995f2a76d C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\taskhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2548 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2548 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2548 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 1616 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2612 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2612 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2612 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2684 wrote to memory of 2256 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\TAPI\taskhost.exe
PID 2684 wrote to memory of 2256 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\TAPI\taskhost.exe
PID 2684 wrote to memory of 2256 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\TAPI\taskhost.exe
PID 2256 wrote to memory of 2068 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2068 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 2068 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 784 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 784 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2256 wrote to memory of 784 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2068 wrote to memory of 912 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\taskhost.exe
PID 2068 wrote to memory of 912 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\taskhost.exe
PID 2068 wrote to memory of 912 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\taskhost.exe
PID 912 wrote to memory of 108 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 912 wrote to memory of 108 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 912 wrote to memory of 108 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 912 wrote to memory of 1720 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 912 wrote to memory of 1720 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 912 wrote to memory of 1720 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 108 wrote to memory of 2900 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\taskhost.exe
PID 108 wrote to memory of 2900 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\taskhost.exe
PID 108 wrote to memory of 2900 N/A C:\Windows\System32\WScript.exe C:\Windows\TAPI\taskhost.exe
PID 2900 wrote to memory of 2504 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2900 wrote to memory of 2504 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2900 wrote to memory of 2504 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\TAPI\taskhost.exe C:\Windows\System32\WScript.exe
PID 1164 wrote to memory of 2468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 2468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 2468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1164 wrote to memory of 1408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EXCheker.exe

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "

C:\bridgesurrogateAgentFont\AgentProvider.exe

"C:\bridgesurrogateAgentFont\AgentProvider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\schemas\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProviderA" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\AgentProvider.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProvider" /sc ONLOGON /tr "'C:\Windows\ja-JP\AgentProvider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProviderA" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\AgentProvider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\bridgesurrogateAgentFont\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\bridgesurrogateAgentFont\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f

C:\Windows\TAPI\taskhost.exe

"C:\Windows\TAPI\taskhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1529264f-06c9-48ed-b412-7235540d40b4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b913083d-f66a-4225-b660-074a87c6d9f8.vbs"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\TAPI\taskhost.exe

C:\Windows\TAPI\taskhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b652ff8-3534-4660-8597-0d7c38fc2828.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\797c8a3f-dbcb-4bb6-93b6-b79fecdac1a4.vbs"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\TAPI\taskhost.exe

C:\Windows\TAPI\taskhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39391beb-e27a-4b49-8254-01e64e2d4566.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d8061f0-1dd1-4310-b58c-9f011f6917c5.vbs"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6999758,0x7fef6999768,0x7fef6999778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1564 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1340 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3716 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:8

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3352 --field-trial-handle=1284,i,10046903945350678367,12520835244573079019,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.145.234:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.234:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.234:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.234:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.144.40:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.40:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.42:443 content-autofill.googleapis.com tcp

Files

C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe

MD5 5f029eae663f2502df3464cd711d4347
SHA1 61c86dc92b67e65b7c85c64594ff97140b3168ce
SHA256 ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622
SHA512 f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c

C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat

MD5 d723af7383c6c7c9cfe4c51ebbe3b9c7
SHA1 db0c0c570da18e80fa176d6ac9a6f8f008238da7
SHA256 a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e
SHA512 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f

\bridgesurrogateAgentFont\AgentProvider.exe

MD5 b1130e50aedfd408e93334fce676f4ee
SHA1 f8e65fa8b009ac6369988b56b1fb456595f369bb
SHA256 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b
SHA512 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af

memory/2684-13-0x0000000000F40000-0x000000000107C000-memory.dmp

memory/2684-14-0x0000000000570000-0x000000000058C000-memory.dmp

memory/2684-15-0x0000000000590000-0x00000000005A6000-memory.dmp

memory/2684-16-0x0000000000160000-0x000000000016A000-memory.dmp

memory/2684-17-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/2684-18-0x00000000005B0000-0x00000000005BC000-memory.dmp

memory/2256-41-0x0000000000260000-0x000000000039C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1529264f-06c9-48ed-b412-7235540d40b4.vbs

MD5 1fd30b700b0e783a3f98ab38239a52fe
SHA1 3f03e1435ec5b357b1137925b5610e9f61d5b2cc
SHA256 716964348f2a61c0ddaf075fcc36bfe3e5cf45019bf9c4d000173e2c955666bb
SHA512 e5780a6347d54d8dc9060a8a08f5fbebbc9d9fb2896ebea69cf5e7e54a536f0dec57485edb18166d73554a6751efc5f76ad4c92db2e75c31ccdce5b66da443e0

C:\Users\Admin\AppData\Local\Temp\b913083d-f66a-4225-b660-074a87c6d9f8.vbs

MD5 87f69d85748639b0398c0a407c63f59d
SHA1 2f64ac60ead11dace3290d9b0bbf173c1e72acf0
SHA256 d5f8e0aa1ea321e3d66302ba198e171992805c6aa513bab27bafa74b4a0f6aa3
SHA512 22cb6f638bf7bb2d24c47981f853f9782e350d2ed865d89d75e5e839ab70f1281e4b1d85be551ecbe4041b8a67a71592db103763cbbb9a08d5d30e6f84b5bbfc

memory/1144-51-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/912-53-0x0000000000090000-0x00000000001CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b652ff8-3534-4660-8597-0d7c38fc2828.vbs

MD5 28fbbe3f6378415711fbe33109cd0634
SHA1 e3e12598e359644de68bcedbefe314bec724b690
SHA256 20b4e6581f92a779d102958154728c67c084052b3a48276503a59986d6989f05
SHA512 db5bc4694ccc630e01ef77cb40d5adced7949d0c7d60b485e733181d4d891b26c7ccb8efb15d551adbeabbf0e018442809baa57737f4a3ed1d2d6dc620af41c5

memory/2900-65-0x0000000000FA0000-0x00000000010DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39391beb-e27a-4b49-8254-01e64e2d4566.vbs

MD5 aeabd8fab8d11e762f568705aecff5a7
SHA1 5b6d5fb1a0034ab669da0baf3a4fedfbcc777764
SHA256 c2fea2cf74346c697328f3c11c2ff52189d6b46091178596a45f324b6ace38a2
SHA512 41f4a3afbd102a7e1c8f7f1e65030979f1d7e7aa1e07131d038f2c791ec8c141de57aa1a801ecee140cd55923bc9d8bc1f1111ed60f3b63380325c37b1c68434

\??\pipe\crashpad_1164_RRMTSOZSJKGVRXOP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\CabDE9C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

MD5 99916ce0720ed460e59d3fbd24d55be2
SHA1 d6bb9106eb65e3b84bfe03d872c931fb27f5a3db
SHA256 07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf
SHA512 8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 08:45

Reported

2024-06-18 08:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EXCheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\Registry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Common Files\System\38384e6a620884 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\121e5b5079f7c0 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\dotnet\OfficeClickToRun.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\taskhostw.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\cc11b995f2a76d C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Common Files\System\SearchApp.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\9e8d7a4ca61bd9 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ea9f0e6c9e2dcd C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\ea9f0e6c9e2dcd C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\dotnet\e6c9b481da804f C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\38384e6a620884 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\EXCheker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\Registry.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\Registry.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 408 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 408 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 408 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 780 wrote to memory of 552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 552 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2968 wrote to memory of 2004 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 2968 wrote to memory of 2004 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 2004 wrote to memory of 4312 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2004 wrote to memory of 4312 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2004 wrote to memory of 4292 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2004 wrote to memory of 4292 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4312 wrote to memory of 1548 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 4312 wrote to memory of 1548 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 1548 wrote to memory of 3864 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 1548 wrote to memory of 3864 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 1548 wrote to memory of 736 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 1548 wrote to memory of 736 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 3864 wrote to memory of 2184 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 3864 wrote to memory of 2184 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 2184 wrote to memory of 3096 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 3096 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 2556 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 2556 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 3096 wrote to memory of 1376 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 3096 wrote to memory of 1376 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 1376 wrote to memory of 3524 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 1376 wrote to memory of 3524 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 1376 wrote to memory of 1888 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 1376 wrote to memory of 1888 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 3524 wrote to memory of 1092 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 3524 wrote to memory of 1092 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 5036 wrote to memory of 4372 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 5036 wrote to memory of 4372 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 4372 wrote to memory of 5100 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4372 wrote to memory of 5100 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4372 wrote to memory of 1996 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4372 wrote to memory of 1996 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 5100 wrote to memory of 4088 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 5100 wrote to memory of 4088 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 4088 wrote to memory of 372 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 372 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 4492 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4088 wrote to memory of 4492 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 372 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 372 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 2676 wrote to memory of 4768 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 4768 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 2744 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 2744 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 4768 wrote to memory of 2872 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 4768 wrote to memory of 2872 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 2872 wrote to memory of 3276 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 3276 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 2272 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 2872 wrote to memory of 2272 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 3276 wrote to memory of 3920 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 3276 wrote to memory of 3920 N/A C:\Windows\System32\WScript.exe C:\bridgesurrogateAgentFont\Registry.exe
PID 3920 wrote to memory of 4996 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 3920 wrote to memory of 4996 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 3920 wrote to memory of 824 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe
PID 3920 wrote to memory of 824 N/A C:\bridgesurrogateAgentFont\Registry.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\EXCheker.exe

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "

C:\bridgesurrogateAgentFont\AgentProvider.exe

"C:\bridgesurrogateAgentFont\AgentProvider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\bridgesurrogateAgentFont\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\bridgesurrogateAgentFont\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProviderA" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\AgentProvider.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProvider" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\AgentProvider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "AgentProviderA" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\AgentProvider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\bridgesurrogateAgentFont\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\bridgesurrogateAgentFont\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\bridgesurrogateAgentFont\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\bridgesurrogateAgentFont\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\bridgesurrogateAgentFont\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\bridgesurrogateAgentFont\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\bridgesurrogateAgentFont\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\bridgesurrogateAgentFont\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\PackageManifests\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\PackageManifests\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\bridgesurrogateAgentFont\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\bridgesurrogateAgentFont\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f

C:\bridgesurrogateAgentFont\Registry.exe

"C:\bridgesurrogateAgentFont\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156a4160-1479-40eb-a3e8-4a620a1e9ac2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf54dfb8-2114-4128-8e79-a8d9172ed7bf.vbs"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cf2b6c9-5bfb-4645-8d99-de63f63a9a1f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f032b9dc-f125-45de-906d-13a999b08412.vbs"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1fcc2a5-9dbd-46c5-a7f6-5c62a90b89eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a721ebe5-5194-4862-8bc5-8dd93f8f5286.vbs"

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9a25b5a-65f1-4b93-b32d-00810eb49b0d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fabacd4-9c3a-40d9-b188-ad72a7916d52.vbs"

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed86d682-33f8-4e92-97ae-edfce9bfdb23.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d78e8b45-61eb-4c07-8858-701dc9852231.vbs"

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0fcd57a-f384-4832-8765-597c01ed435a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb80497a-d7bd-4636-aaa0-2b0a0c5a396b.vbs"

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ce41d4-e0e9-414d-b76a-36aacc3de6a9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd8b7af0-61c0-45bc-b732-783606ab1e1d.vbs"

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95c3cd9e-653c-427e-8a32-0d4322e00378.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9a7c5f-fac7-4631-b64a-01f85806cc55.vbs"

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4588f671-5878-41b4-89db-6f22d30b3b94.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\544693ec-8b28-4662-bdb3-f5d715968bc3.vbs"

C:\bridgesurrogateAgentFont\Registry.exe

C:\bridgesurrogateAgentFont\Registry.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb67e1c-78a1-4264-ac02-d5e4cb644a2f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aade6c79-7f42-45d5-8509-6ad432b310fe.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp

Files

C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe

MD5 5f029eae663f2502df3464cd711d4347
SHA1 61c86dc92b67e65b7c85c64594ff97140b3168ce
SHA256 ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622
SHA512 f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c

C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat

MD5 d723af7383c6c7c9cfe4c51ebbe3b9c7
SHA1 db0c0c570da18e80fa176d6ac9a6f8f008238da7
SHA256 a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e
SHA512 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f

C:\bridgesurrogateAgentFont\AgentProvider.exe

MD5 b1130e50aedfd408e93334fce676f4ee
SHA1 f8e65fa8b009ac6369988b56b1fb456595f369bb
SHA256 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b
SHA512 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af

memory/2968-12-0x00007FFB54CF3000-0x00007FFB54CF5000-memory.dmp

memory/2968-13-0x0000000000200000-0x000000000033C000-memory.dmp

memory/2968-14-0x000000001AE40000-0x000000001AE5C000-memory.dmp

memory/2968-15-0x000000001B4F0000-0x000000001B540000-memory.dmp

memory/2968-16-0x000000001AE60000-0x000000001AE76000-memory.dmp

memory/2968-17-0x000000001AE80000-0x000000001AE8A000-memory.dmp

memory/2968-18-0x000000001AE90000-0x000000001AE98000-memory.dmp

memory/2968-19-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\156a4160-1479-40eb-a3e8-4a620a1e9ac2.vbs

MD5 a6cd7a465987392227cd85164aa484d9
SHA1 afee82fb5626f07482f32b926de054ec951ced43
SHA256 a6c7f1604004f7c2adf128be745e546c8f4bfe078e767c7bfe435568db49e40f
SHA512 231203a9a13fc01af1584da2ba0a324d0a3c4471acdffa73ba90799b7392fbeef44856c9a3cd8ea2fb7c770909b70b4cbd1cc7413022ebc07a7d61cdff9e71d0

C:\Users\Admin\AppData\Local\Temp\cf54dfb8-2114-4128-8e79-a8d9172ed7bf.vbs

MD5 655c6eac1bce23081cf809050357b6de
SHA1 a58fc77b046b446716fb0c2816742e4e12a5297e
SHA256 407e3305b1c3a8c307c1615475a71065a6b6dc5b2f03310b61045dc0f93ca4c6
SHA512 22a37bd8d7530fd97fe8cae9bee017f0f61ac7f0ed40494d95f3d3bc71a9ce41317105c70f203528be728093722acc3df8a2a83e72065bb3480d39cd365448e9

memory/3220-78-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-79-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-80-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-86-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-90-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-89-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-88-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-87-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-84-0x0000022705250000-0x0000022705251000-memory.dmp

memory/3220-85-0x0000022705250000-0x0000022705251000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

MD5 3ad9a5252966a3ab5b1b3222424717be
SHA1 5397522c86c74ddbfb2585b9613c794f4b4c3410
SHA256 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512 b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

C:\Users\Admin\AppData\Local\Temp\9cf2b6c9-5bfb-4645-8d99-de63f63a9a1f.vbs

MD5 7f6959d626dadc06f0b77db66e616064
SHA1 c7a82066ad601477c052aa94004cdeece5e1a383
SHA256 d906516f135c7d2bcb486b5a9273023ce84af065adf6cd156df5ac0935b73f91
SHA512 6d9981be53879995e131214cdaf3374d76674817fb0790e1fa2d657f13a8d9a1b479d899b8aa2f21266429e06ea63765fcd63bffc2d39091ef39e3e765072945

C:\Users\Admin\AppData\Local\Temp\f1fcc2a5-9dbd-46c5-a7f6-5c62a90b89eb.vbs

MD5 246aedf090d14003919ec6ad3dcbeed1
SHA1 0602fe463fe5705aeca4b3ef26acf38fa0d0365d
SHA256 00893757e42542d674fc5bfd370c42c12e197b7074b2c00969dabb143ac9b1d3
SHA512 c789341e48e8583890307dc2a745c05fb41777452f3f4b67401a2d46c2e70a02879404f14aa66436e7ba6c46753cece925e890195b1d119c0e0eb6a3d489fdab

C:\Users\Admin\AppData\Local\Temp\d9a25b5a-65f1-4b93-b32d-00810eb49b0d.vbs

MD5 f858ee5d05f19b2f9cdd8f21b1bf7ba9
SHA1 996334ba7ff9d0145af0076111425c9107b445cb
SHA256 4e5818499754b5fd3c72aa0fb2cab59d46bfa6f347bfb38eb8f653aaf4cea904
SHA512 d70f0dc84ae1dc4472ed93f9057c618ce68a6def46b5d8b636bc2f200280c8aca2e19377c1b5e0b57dbb2ac610dab405f876ebf3e1f07e2057ae45c1ead80bd0

C:\Users\Admin\AppData\Local\Temp\f0fcd57a-f384-4832-8765-597c01ed435a.vbs

MD5 24e44eea3ac11feff58a1dde8be7fe96
SHA1 766d86d074ae05f34520ac63346524294267d916
SHA256 382ab2ad629773a4844c97853acec64bd12e2f4a0d4676e5d9012e17eb0e85b4
SHA512 0859d72614136d2605c2a06bc25e6fb691531a413ffb887037cfbc589c00e7b3f74aeb1a27d001534a2b8afa182d041822da6b02d70393ce614b1f83a17f9e7e

C:\Users\Admin\AppData\Local\Temp\80ce41d4-e0e9-414d-b76a-36aacc3de6a9.vbs

MD5 1f38b45e41b2d074aa6aa35dddfa183b
SHA1 311879247f6ebe1fa496822c253fb62b31e0d00e
SHA256 669e1584773b21621119ebd4ce8ec1e7a80381692953e9db0042a12df14a4ccf
SHA512 0ba8d06fa4752795c1eb2881723223f7d116a9703284bd9730c87a987da822fed34b0512bf64d311447dbc7a4757c1794755e55f1047d64cc2d81191e9d97bdf

C:\Users\Admin\AppData\Local\Temp\95c3cd9e-653c-427e-8a32-0d4322e00378.vbs

MD5 043937151ef3e5bc244c53fdf27ef1f1
SHA1 e80ef12e611504a6ed483d8b91ac6bd5c92fc0a9
SHA256 3c82b6433aed38fafb727db990fa30b26bf80fef38d2dfa77b09166ddaa78be4
SHA512 5be6978a2989172abe920d0b30d96a50290ba9056434c5ecc244ee0d75465923ad8560faae1e7f8435fe7fa46b44ff34bf99df67fbd7bd50474cd3dc4bec5005

C:\Users\Admin\AppData\Local\Temp\4588f671-5878-41b4-89db-6f22d30b3b94.vbs

MD5 d3c650af130e0634b63f0c69da37e61d
SHA1 088cf27fddccecef7e64ef2d5287516a7a3ec1bf
SHA256 e9e15c62b1682ab11c8ca3c2fded4df9b64738b0601955a12b0d4b57765b47a6
SHA512 0eb2195db1fb0e680fa57c0734f22ebd1d34f7d787fca82ab88a6c73ba8722380737db5fdc3e95e6551b0a759dbea109ac2db3c9a6fd5d9842cda33c2912a0f1

C:\Users\Admin\AppData\Local\Temp\6bb67e1c-78a1-4264-ac02-d5e4cb644a2f.vbs

MD5 416d6772ea6594ef84ebf7576b1fda71
SHA1 f806862cc0c71f9d643b34e9d1cb8492d9863b1f
SHA256 a744236dd8ab58e7cc481c65347966118915bedac8a16b34cba02ea2c25fd8dc
SHA512 585f6bc8a42ffd93841beee375533368974d503950c91c2b421f482af0679e85ee09e8a839ecc254809aca6362df9f101de7a3c3df000e3acb18b8c02457789c