Malware Analysis Report

2024-10-10 13:07

Sample ID 240618-krs4tswdka
Target EXCheker.rar
SHA256 4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2
Tags
rat dcrat evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4da4cda309e6e284c0c6f123014672cf5b964f528ae86faa0a6e94ce32a4e6e2

Threat Level: Known bad

The file EXCheker.rar was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence spyware stealer trojan

UAC bypass

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

DCRat payload

Sets file execution options in registry

Modifies Installed Components in the registry

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 08:50

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 08:50

Reported

2024-06-18 08:53

Platform

win7-20240220-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinLocker.exe" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinLocker.exe" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinLocker.exe" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6cb0b6c459d5d3 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\csrss.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\spoolsv.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\f3b6ecef712a24 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Mail\en-US\088424020bedd6 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\886983d96e3d3e C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Windows Mail\en-US\conhost.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\wininit.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\56085415360792 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\Migration\WTR\sppsvc.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\Migration\WTR\0a1fd5f707cd16 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\es-ES\c5b4cb5e9653cc C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\ModemLogs\sppsvc.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File opened for modification C:\Windows\ModemLogs\sppsvc.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\ModemLogs\0a1fd5f707cd16 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Windows\es-ES\services.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\wininit.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 3036 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 3036 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 3036 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2988 wrote to memory of 2536 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2536 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2536 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2536 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2536 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2536 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2536 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 2652 wrote to memory of 2884 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\System32\cmd.exe
PID 2652 wrote to memory of 2884 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\System32\cmd.exe
PID 2652 wrote to memory of 2884 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\System32\cmd.exe
PID 2884 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2884 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2884 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2884 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\bridgesurrogateAgentFont\wininit.exe
PID 2884 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\bridgesurrogateAgentFont\wininit.exe
PID 2884 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\bridgesurrogateAgentFont\wininit.exe
PID 2648 wrote to memory of 1524 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Windows\System32\WScript.exe
PID 2648 wrote to memory of 1524 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Windows\System32\WScript.exe
PID 2648 wrote to memory of 1524 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Windows\System32\WScript.exe
PID 2648 wrote to memory of 1788 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Windows\System32\WScript.exe
PID 2648 wrote to memory of 1788 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Windows\System32\WScript.exe
PID 2648 wrote to memory of 1788 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Windows\System32\WScript.exe
PID 2648 wrote to memory of 676 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2648 wrote to memory of 676 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2648 wrote to memory of 676 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2648 wrote to memory of 676 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2648 wrote to memory of 2344 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2648 wrote to memory of 2344 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2648 wrote to memory of 2344 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2648 wrote to memory of 2344 N/A C:\bridgesurrogateAgentFont\wininit.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe C:\Windows\explorer.exe
PID 676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe C:\Windows\explorer.exe
PID 676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe C:\Windows\explorer.exe
PID 676 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe C:\Windows\explorer.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EXCheker.exe

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "

C:\bridgesurrogateAgentFont\AgentProvider.exe

"C:\bridgesurrogateAgentFont\AgentProvider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\bridgesurrogateAgentFont\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\bridgesurrogateAgentFont\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\bridgesurrogateAgentFont\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\bridgesurrogateAgentFont\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\bridgesurrogateAgentFont\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\bridgesurrogateAgentFont\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\bridgesurrogateAgentFont\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\bridgesurrogateAgentFont\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\bridgesurrogateAgentFont\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\bridgesurrogateAgentFont\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w1OG6iwOmz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\bridgesurrogateAgentFont\wininit.exe

"C:\bridgesurrogateAgentFont\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28c210b3-980a-42fb-b20d-c5efa6413ce5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e551eba-7a7b-4da9-aa8f-02eb352cadb3.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe

"C:\Users\Admin\AppData\Local\Temp\WinLocker.exe"

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe explorer.exe

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe "explorer.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x540

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.144.21:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.21:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.21:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.21:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.21:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.144.129:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.129:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.129:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.129:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp

Files

C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe

MD5 5f029eae663f2502df3464cd711d4347
SHA1 61c86dc92b67e65b7c85c64594ff97140b3168ce
SHA256 ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622
SHA512 f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c

C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat

MD5 d723af7383c6c7c9cfe4c51ebbe3b9c7
SHA1 db0c0c570da18e80fa176d6ac9a6f8f008238da7
SHA256 a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e
SHA512 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f

\bridgesurrogateAgentFont\AgentProvider.exe

MD5 b1130e50aedfd408e93334fce676f4ee
SHA1 f8e65fa8b009ac6369988b56b1fb456595f369bb
SHA256 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b
SHA512 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af

memory/2652-13-0x0000000000AD0000-0x0000000000C0C000-memory.dmp

memory/2652-14-0x00000000002C0000-0x00000000002DC000-memory.dmp

memory/2652-15-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2652-16-0x0000000000140000-0x000000000014A000-memory.dmp

memory/2652-18-0x0000000000490000-0x000000000049C000-memory.dmp

memory/2652-17-0x0000000000480000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w1OG6iwOmz.bat

MD5 3ae230d6c6cda64a3f772d5289ea3bba
SHA1 5c0b5b265befac5d0a59906aa0496d33dc2638a5
SHA256 4d2ea3057bf842ba9cbe52907efccd26b40254242d9198a684775e9c4787571a
SHA512 85f38352eee9525ac1859d03284129f9818f6a882acdbac3f8d473633570deab42d3b9d5a20cbbf46a2f59a873cd59922881b0cf46cbc428c7c66a93860fd862

memory/2648-64-0x00000000008F0000-0x0000000000A2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e551eba-7a7b-4da9-aa8f-02eb352cadb3.vbs

MD5 c769ffc0de871a986aca568fc2e87323
SHA1 e1b7800cbd9738ef99992aeda98610d44712b58e
SHA256 0638ef4307ef897a32f310bec04ca1d8c3857d932d835637e0e3466c76db367d
SHA512 c3b1e0337a934db453aafb708dcad336c034e060f334249eae9de6606e29b05b311829144a383c53165c88527329e07d20622773ab801d9420cfacd6ba3d4388

C:\Users\Admin\AppData\Local\Temp\28c210b3-980a-42fb-b20d-c5efa6413ce5.vbs

MD5 3ef5382953cc71d8aafaed59e546dee5
SHA1 73a444b83a1fe23eac551976099d473b666895d6
SHA256 b045d5c933fe71a3bcc5186039130449752de7900a8700f30205f41126642bdb
SHA512 2afb1fd5269faf4a018836bea3cb2354550a7c19e0867a30f0d5b47938b26fee800067f561ed1bfcc45c4b7e406a0bf2f11f88cdc6fd6972f7f5305faa490382

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe

MD5 9c75327333c7c8bf26fee3e7d3b34cd2
SHA1 ebcca4f4a538f4725c1d063d6f3af8f0f097d11a
SHA256 3cee8d85cbc8ade23c6a98f450108bbbf3ca30f41ef5286eb6ed7fa1127e04c9
SHA512 631cc9fb7149fa780bc2cb08f21b2054a8bf46a4650ee02e933bbf4be9ea54caa280b07fcdadaad5dc651bfe798c32b5968be907bd4a441cd7fa304047a6cc7e

memory/1368-105-0x0000000077080000-0x000000007719F000-memory.dmp

memory/1368-106-0x0000000076F80000-0x000000007707A000-memory.dmp

memory/1368-104-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/676-128-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/676-151-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/676-170-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/676-191-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/2648-192-0x000000001A8C0000-0x000000001A8D6000-memory.dmp

memory/2344-202-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/676-215-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/676-240-0x0000000000400000-0x00000000006CC000-memory.dmp

memory/676-243-0x0000000000400000-0x00000000006CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 08:50

Reported

2024-06-18 08:53

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EXCheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\3D Objects\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\SearchApp.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\VideoLAN\38384e6a620884 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Google\Chrome\sihost.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File opened for modification C:\Program Files\Google\Chrome\sihost.exe C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
File created C:\Program Files\Google\Chrome\66fc9ff0ee96c2 C:\bridgesurrogateAgentFont\AgentProvider.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\EXCheker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\3D Objects\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgesurrogateAgentFont\AgentProvider.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\3D Objects\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2472 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2472 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\EXCheker.exe C:\Windows\SysWOW64\WScript.exe
PID 1076 wrote to memory of 4412 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 4412 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 4412 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 4412 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgesurrogateAgentFont\AgentProvider.exe
PID 3092 wrote to memory of 4464 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\System32\cmd.exe
PID 3092 wrote to memory of 4464 N/A C:\bridgesurrogateAgentFont\AgentProvider.exe C:\Windows\System32\cmd.exe
PID 4464 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4464 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4464 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4464 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\3D Objects\csrss.exe
PID 2652 wrote to memory of 4552 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 4552 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 4384 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 2652 wrote to memory of 4384 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4552 wrote to memory of 3680 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4552 wrote to memory of 3680 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 3680 wrote to memory of 4032 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 3680 wrote to memory of 4032 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 3680 wrote to memory of 3860 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 3680 wrote to memory of 3860 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4032 wrote to memory of 4520 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4032 wrote to memory of 4520 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4520 wrote to memory of 2116 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4520 wrote to memory of 2116 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4520 wrote to memory of 4292 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4520 wrote to memory of 4292 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 2116 wrote to memory of 4824 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 2116 wrote to memory of 4824 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4824 wrote to memory of 4856 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4824 wrote to memory of 4856 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4824 wrote to memory of 2108 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4824 wrote to memory of 2108 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4856 wrote to memory of 5020 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4856 wrote to memory of 5020 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 5020 wrote to memory of 3392 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 5020 wrote to memory of 3392 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 5020 wrote to memory of 2884 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 5020 wrote to memory of 2884 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 3392 wrote to memory of 5000 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 3392 wrote to memory of 5000 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 5000 wrote to memory of 3288 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 5000 wrote to memory of 3288 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 5000 wrote to memory of 4508 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 5000 wrote to memory of 4508 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 3288 wrote to memory of 2100 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 3288 wrote to memory of 2100 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 2100 wrote to memory of 4640 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 4640 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 2836 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 2836 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4640 wrote to memory of 4048 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4640 wrote to memory of 4048 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 4048 wrote to memory of 1052 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4048 wrote to memory of 1052 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4048 wrote to memory of 1540 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 4048 wrote to memory of 1540 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 1052 wrote to memory of 936 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 1052 wrote to memory of 936 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\3D Objects\csrss.exe
PID 936 wrote to memory of 116 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe
PID 936 wrote to memory of 116 N/A C:\Users\Admin\3D Objects\csrss.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\EXCheker.exe

"C:\Users\Admin\AppData\Local\Temp\EXCheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat" "

C:\bridgesurrogateAgentFont\AgentProvider.exe

"C:\bridgesurrogateAgentFont\AgentProvider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\3D Objects\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ebB2FGA79L.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2337b2fd-cf9c-4802-9360-92a0a4621d04.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7ab670e-25c7-4321-aac8-a2a11e850afd.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aa262e3-61cf-44ae-b6ca-6afebc1d529c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85b2f13d-2a0a-4ed0-b256-36e1a1ad2743.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ad186e1-b6aa-43fc-a74d-19febf78c844.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b09740a-5eda-42be-9047-15b2d225ad8a.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6caa9770-809a-413b-8806-7dc4d9356528.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d275e2c7-a3cb-4e5e-b9e6-1bfd5bb057b7.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5c7e217-f731-49bc-83dc-397b4246a595.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a682f23-4dc4-4763-b44e-3ecc5bdc083c.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57ead019-250e-41cc-9064-553d414407f1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10efdc02-52f4-448f-bc0b-25cb0a797329.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb7f6919-8b5d-4c87-afdb-74c2e716c640.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afdbe0c0-714c-4849-8e92-ed9ec983c5b1.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36a22ffd-fae3-4a22-be0b-b7dae0a4e792.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef4e4848-be76-4c1d-9be6-e0376e3d6a19.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\986b10ad-bd46-4977-a464-792f0c20b889.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b901d0f8-18b4-4b52-861a-ffb49317ddb5.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\905885b4-767b-4f60-8003-c4a73bd6c78d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7faf1935-1a34-4921-b200-9dc195c3ecb6.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27160ca6-bece-4efb-aea0-6c94100820e3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e056a892-c279-4c7e-94d6-60cab254c2ea.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbb4bbf5-8c33-41e4-8b80-a33e5f7adc23.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fc8f688-77d2-450c-867d-f6707a24ae20.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2152906-9b50-4388-9ca1-35dded9419f2.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caaeebc9-2d8b-495e-ad52-f010f9fd5788.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b695f8ef-ac5c-4ffe-aa18-3e4472bebd30.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f418dac-56c8-42ed-82a0-49a64d72d809.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\071ded5b-28fd-4449-ac65-19885f1231eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76809012-b3cd-4af1-86d4-fddaa06a066f.vbs"

C:\Users\Admin\3D Objects\csrss.exe

"C:\Users\Admin\3D Objects\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1193ed6e-983c-4863-8895-80a30d6a07ef.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\849a2af3-1af5-4cc4-9ee9-510c54f0b170.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp

Files

C:\bridgesurrogateAgentFont\Ccgv8PV00BrcES4pwOL2gb2w.vbe

MD5 5f029eae663f2502df3464cd711d4347
SHA1 61c86dc92b67e65b7c85c64594ff97140b3168ce
SHA256 ff506ca08e22a56a084dbd8160045729a6d14d82258e40f936638c174a2c3622
SHA512 f9f56f9803be2a1a2c372deaf05fd0e518fb260f2846d892a83f7e44ac0b59b790be4bb0815627d004b8635fd1d9e77b5571afce1d992b55e7386b597d39779c

C:\bridgesurrogateAgentFont\ZbvYpyO1uZWKdGvUmorUeHe.bat

MD5 d723af7383c6c7c9cfe4c51ebbe3b9c7
SHA1 db0c0c570da18e80fa176d6ac9a6f8f008238da7
SHA256 a855c002602a844ac257a3e11ddf5227aec96d77fe9b7172729856ebff42273e
SHA512 63316642c533aed7a581a5268941d461004e92fdff001178e9e498b7a5e0a96fe0ccfd4977a67e76f65dd8253698874a02b9ba8e7609c801d77e5189f4cbd56f

C:\bridgesurrogateAgentFont\AgentProvider.exe

MD5 b1130e50aedfd408e93334fce676f4ee
SHA1 f8e65fa8b009ac6369988b56b1fb456595f369bb
SHA256 6b9569c5a58b74855b4616b3a42e819692669df758b343b1bcd8042cb56af52b
SHA512 8cc3891150a13e72193bea907858862ca714b7e867402692a8ac76ccff176c0d50f0f19ac223a1a76dbfe74aeed46af7154532335efb76f851f626611bf848af

memory/3092-12-0x00007FFDEB663000-0x00007FFDEB665000-memory.dmp

memory/3092-13-0x0000000000D30000-0x0000000000E6C000-memory.dmp

memory/3092-14-0x00000000017E0000-0x00000000017FC000-memory.dmp

memory/3092-15-0x000000001BB20000-0x000000001BB70000-memory.dmp

memory/3092-16-0x0000000002FB0000-0x0000000002FC6000-memory.dmp

memory/3092-17-0x0000000001780000-0x000000000178A000-memory.dmp

memory/3092-19-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

memory/3092-18-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ebB2FGA79L.bat

MD5 59a9b3c3fa27f3eb35ec722383a0b283
SHA1 adfa6e03e93cf6a319e812ee325740ec3455ee3c
SHA256 f7a8309ff0bbd9144b0687281a172196bf4a37df756e92d08daa786d2936890f
SHA512 c9bd0c2ba93187ad69762ed63349ccc12e9be0a1d2f9dd6c1c908820f402df5119b77496dc2d28162e52cdbc45c8aa15f99073ab5b7e28aa03518205d2ec0cc2

C:\Users\Admin\AppData\Local\Temp\2337b2fd-cf9c-4802-9360-92a0a4621d04.vbs

MD5 6758b2667549f1ed155817821b3ba714
SHA1 f7570d136d906a0206c94a233ec7bee47979673f
SHA256 227b304ce371338a0a876ec76b6b1eb34361ac0410231bd0bd254a93a7c9d70a
SHA512 e0d2c44db5e6c1cc3e7c6f5b2d342d3d9155006e79b055e19c0e146acad8a2bf049496d0d0e68b9d7bf6feb0c5bb69b345fc3f8364d1f12e05b50b07663e294c

C:\Users\Admin\AppData\Local\Temp\b7ab670e-25c7-4321-aac8-a2a11e850afd.vbs

MD5 a617e1f922e7536857ff9419eec6d567
SHA1 0782bff4b9b4cd9e430d1b86d126878834dcc737
SHA256 bcae6616a1c887236fc03c68fb680d8d82f74723f7a1df2504a6acf3e3b5bd5c
SHA512 aece98e585d0389a0881a1af9a692f6204169d708e0219ea6b17b8a50fda05421d607dac9649db257f8ecf2578c0ef24614c044a9751e0ebb963fb3ee53c07b9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 3ad9a5252966a3ab5b1b3222424717be
SHA1 5397522c86c74ddbfb2585b9613c794f4b4c3410
SHA256 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512 b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

C:\Users\Admin\AppData\Local\Temp\8aa262e3-61cf-44ae-b6ca-6afebc1d529c.vbs

MD5 4836511121f87c0e4e82a55167fcfd7f
SHA1 c6f00148ce96add02edaba7afbad8e681cb8f7ed
SHA256 0e865b27ef1152c5c943416afd31edf03e92132257e04f156aa2e76b9601f43e
SHA512 c340275bc415e25187e0f37c1ee693a0e5b357cef13683b7e61e27918e77f73ee5e32a55f0cfbf6e6161d5f66f67a62f8b0e0c2b85dca94177466b63c2d9ca56

C:\Users\Admin\AppData\Local\Temp\3ad186e1-b6aa-43fc-a74d-19febf78c844.vbs

MD5 6a6d7f156e1a8ff029fe41e2d1f02e8f
SHA1 90a177babdf81f44ea8afab2c03d0bf9bb9ea6d4
SHA256 f7842b76bfe942938d5bdc7f395c9d3b41093003089ed570c8f412a0c35339be
SHA512 a31eda863b96d72c558a84a7c7d443b5ecb176929422409d33c8b82dc3b1555398a869d50fb54adf63a2a71615f821aec1cb075cf85993b783ae83c8efa7e24a

C:\Users\Admin\AppData\Local\Temp\6caa9770-809a-413b-8806-7dc4d9356528.vbs

MD5 ff049499dd9568b1a50cbaa7b6571669
SHA1 ec83038515b84a3ff57c107b05fc7acf7e59018e
SHA256 a2343c49083f84ab233e90c5f2d2d498efc76bf613135ba5effa4f49f72233f5
SHA512 5976de88ea125e029cf1848934518349139674f454eb65eb1ab3ac656c1eb7a24b32a155b358cb8360acc56dff171135ef125f8e439d3d85a1e839d02683a457

C:\Users\Admin\AppData\Local\Temp\b5c7e217-f731-49bc-83dc-397b4246a595.vbs

MD5 fce93452074ab4d52c7f2ae9f94aa1b0
SHA1 9c303260ba721e8ee93bb1ae446793eccd6f47b5
SHA256 a7c27c7f2845575a20a73f499ff57708c45f15cbe27543d7170ca772bdd1304f
SHA512 c1a45a2b4252e1183caf12b3b4098ea935e1f62b9a7f00e298b2076108a6b58d4836a5518d9c3bb616e9b4e6ffef0123bd01d9e6d9e86d9c5934f6f5286e8c26

C:\Users\Admin\AppData\Local\Temp\57ead019-250e-41cc-9064-553d414407f1.vbs

MD5 a1c4de18715b825cba9d3e9d79092316
SHA1 b3b0ceb83a198b90ef44ab865458032536ec5757
SHA256 64d1203501cd9bd4a27a1352dd7ae82bb44a99cdc7fa1e3374ebae911e79d2bc
SHA512 d9c499e38a4ace975bea43fdc7fb3f85bf310f428f0b457abdb816fcbf04f49d19ba8f69db616340d63359421388633530964ccb66852e6a51db48a9f45408c8

C:\Users\Admin\AppData\Local\Temp\cb7f6919-8b5d-4c87-afdb-74c2e716c640.vbs

MD5 f9c8ce6aea7ab08d03d03ab7f725abe9
SHA1 e2202a614d2377ab84f55d17ae4e46e969a27bcc
SHA256 cd615fa70c7cd6f3e66a9c57b227781f8b3c5391819077081d9c2695339faddf
SHA512 9b4b9135069748c5f5426d69034ade605ac7d700a0954680fb35fc79946b9ecc59efe589e149f6861316b79cc015f18dd7270829b388b7e256b5e4344a9c38ea

C:\Users\Admin\AppData\Local\Temp\36a22ffd-fae3-4a22-be0b-b7dae0a4e792.vbs

MD5 e1843791202b84c7ca7a0ce111da97a3
SHA1 8bd785a88175643f541493bab775d51c5f8c4ec8
SHA256 2ac7d72deac793e538a71980ce39e8c2f7f7ad80c3d088da5333b9a7b98c8b7a
SHA512 b12f6f1594def2d239105e84eb4e0307275488953eadbd5caec07ed9b38cb5d08833163025115b26204dde04630a3f9d692c9b9016660d95c7decbf2ea9a5a80

C:\Users\Admin\AppData\Local\Temp\986b10ad-bd46-4977-a464-792f0c20b889.vbs

MD5 62f767e6639bb8ddb265790c33fb65f7
SHA1 c95037a7a0eaa6d7ab844765db725f546934216f
SHA256 f1be694aa886b1509a8d5e0e199eae05fc688323d64c001583a3071a9447c3d3
SHA512 af3739aba7ae86774b9b63025c8174693c7afcc79bcf98a1593b58cc2d42664bfeaf56a6ac743b6d84f72cdd83f9a1fac7eddd6c5c5e7f732eeff7e657ad556a

C:\Users\Admin\AppData\Local\Temp\905885b4-767b-4f60-8003-c4a73bd6c78d.vbs

MD5 821b0dd994b334e3a10d2dfb3263b2c6
SHA1 1401dc6e5631d6d7d48453297d4b55665ca44d32
SHA256 386a100079157349977d23ce423e3a15db72bb2acbdfc9a40e5c2b50b623c60a
SHA512 eb99efe2ce7437b9e1314dc9e2cf8c52716e86c7fcc15369800e9c6e25a99f72a7ba679ab2baedfcc3dc8e65184a4404500669a804e5f567438577587a8ca970

C:\Users\Admin\AppData\Local\Temp\27160ca6-bece-4efb-aea0-6c94100820e3.vbs

MD5 40737a5b89f110f3e245e6a3403a48c3
SHA1 5c99276c44fc80e85cfd4cb6f6391baa92efeab9
SHA256 b4eea676da9073c4587827dc654552fcacc46d4a6e9bbe5e272d9337cfa24e74
SHA512 f8b0097bea65be8948db05f193a0004aa46f56df3336d967f45f752d23bf299b9736f8731eb87a6eb9e5f57dd68991522e132672595d198dd49ea006d6ff6ee5

C:\Users\Admin\AppData\Local\Temp\dbb4bbf5-8c33-41e4-8b80-a33e5f7adc23.vbs

MD5 6125db86de8484f9d73cb87458fd474a
SHA1 ae6fd0f095dfc6f833c610ff34b50d8f701cc54a
SHA256 d86b2502262f20d396d98faacef6df493511b5bed5956887cc07e5297f985c4c
SHA512 00b676514a692d8bd937b3ee0e05e17f3420b7e3d208a2bd498bb01e84ca58282035fa23025c5e6e9bc90e63a9c4c8e84562e89a6a360f4e3586821502088cc1

C:\Users\Admin\AppData\Local\Temp\e2152906-9b50-4388-9ca1-35dded9419f2.vbs

MD5 93376e8247e2ede6b330406c9609765b
SHA1 2530c95d61a828014ccfc3b2527c15676952c522
SHA256 983a164b956dd625dd013cea04af0d7911708bfd9ab652e789d25814b39de11b
SHA512 9e75ca510c1d9c3801786c53468cf18fe7663c0c4a13b18af0cbc34a713f8a9e3ebb75f3956ff9d725b4090c768c70478e321f7ca62f87e9b41c7474e9c9d818

C:\Users\Admin\AppData\Local\Temp\b695f8ef-ac5c-4ffe-aa18-3e4472bebd30.vbs

MD5 2918d08b02190fa692d65a2702149ede
SHA1 2b65608f02c2e428a840b000838977274a595b6a
SHA256 264016f249eeebddc49ad295ba46026f63a952e5b95aae420c030c2f65be610f
SHA512 4271ee7dff9a24c22558fc5c28e852f905835a68ab21d65ebf51b276d00d9821ae017b109207e93a16aab9af6dea634e3ab4f1f3c2ffcd36e9fae064f571f82e