Analysis Overview
SHA256
de577ab25710e06a94efa8f9b0b2f425377cb8df68c5068ce65204ee5b28a067
Threat Level: Known bad
The file test.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Dcrat family
DCRat payload
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Looks up external IP address via web service
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 21:11
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 21:11
Reported
2024-11-05 21:13
Platform
win10v2004-20241007-en
Max time kernel
68s
Max time network
69s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\FontreviewwincommonSvc\Y0CpU.bat" "
C:\FontreviewwincommonSvc\Bridgesurrogate.exe
"C:\FontreviewwincommonSvc\Bridgesurrogate.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im crss.exe & taskkill /f /im wininit.exe & taskkill /f /im winlogon.exe & taskkill /f /im svchost.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im crss.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im winlogon.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | serveo.net | udp |
| DE | 138.68.79.95:9999 | serveo.net | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| DE | 138.68.79.95:9999 | serveo.net | tcp |
| US | 8.8.8.8:53 | 95.79.68.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
Files
C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe
| MD5 | 0eab06ef6873fb013c9f2babf77657cb |
| SHA1 | d0a76df0228e4ce0d5d4a013f54610ebb39d3a90 |
| SHA256 | 641cb6fb5f209f0782ed6ce495fec7fbc2a4dad802e0d86ea2539f9e7280c1f1 |
| SHA512 | b596159b85d0e147eb845bd9a6a26ae58391845100200aeacaa658eb239183fa18589319fe8644a87eac740aaed0ba79861309bc54f5498bdbb9d31520b432fe |
C:\FontreviewwincommonSvc\Y0CpU.bat
| MD5 | 7847aa1435648c93f0af222aa269b12b |
| SHA1 | 445fdd35740aada074adc4596e0cde2449865b60 |
| SHA256 | 70a6c507c444bb21691fed477053006d8ab4e490aaa514de83b46193989816ef |
| SHA512 | 3c1b9d9b7f1b2f48bbca67e7175411d6b02dab55b523e357ca4b47500cc64e3481ffcb2b9c1e3ca3275f9e3673625043d0ba20ee1c82d4935a75d226b800c95d |
C:\FontreviewwincommonSvc\Bridgesurrogate.exe
| MD5 | 925278f34e704b81d9a837d26a72657b |
| SHA1 | 404bb676c8298adc01e660ba763fbf6ec08137e8 |
| SHA256 | 2a26a9cf56694281786fb8e35863ac7a5f607301bbb72eef7e06e95c7e23f50d |
| SHA512 | 608a6d3456e194d918992817d2c57d97ea1758b251d4e1f4e4b9ecc375e2de6d08de2a6495ebcb7ba825eb172e862119b222006733381e1ce246e251dfd55fd7 |
memory/3600-12-0x00007FF93B260000-0x00007FF93B2FD000-memory.dmp
memory/3600-13-0x00000000004F0000-0x00000000005C6000-memory.dmp
memory/3600-14-0x0000000002750000-0x0000000002796000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 21:11
Reported
2024-11-05 21:13
Platform
win11-20241007-en
Max time kernel
60s
Max time network
106s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Windows Credential Manager
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-125.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsStoreLogo.scale-100_contrast-white.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-32.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-400.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_contrast-white.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSplashScreen.contrast-black_scale-125.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\NotepadSmallTile.scale-125.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\KeywordSpotters\de-DE\Cortana.bin | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCard.types.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\DashboardLib\WebView2Loader.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-20_altform-lightunplated.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-72_altform-unplated_contrast-white.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-100.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.TerminalConnection.winmd | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\colors\FluentColors.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\warn.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\LargeTile.scale-200.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.Devices.Custom.CustomDeviceContract.winmd | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\safeRequestAnimationFrame.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\IAnimationStyles.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.scale-100_contrast-white.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-16_altform-lightunplated.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\IRenderFunction.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Sticky.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardImage.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\setPortalAttribute.js | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-125.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-36.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\Square44x44Logo.targetsize-24.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\LensSDK\Assets\EnsoUI\dashboard_slomo_OFF.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-lightunplated.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Wide.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.scale-200_contrast-white.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_AutumnLeaves_Thumbnail.jpg | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200_contrast-black.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-72_contrast-white.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-125.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Xml.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesMedTile.scale-200_contrast-black.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare71x71Logo.scale-100.png | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\system.Resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.22000.434_pt-br_83a272a288814d50.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.22000.469_en-us_150abcceef0c80ce.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.184.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.184.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Clipboard-Package~31bf3856ad364e35~amd64~~10.0.22000.282.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Activities.Core.Presentation.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..oem-coren.resources_31bf3856ad364e35_10.0.22000.493_ca-es_e415ba079232652c.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-hta-package-o..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_et-ee_a849ae95257bc8d1.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\INF\c_sdhost.inf | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\INF\ESENT\0409\esentprf.ini | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Activities.Core.Presentation.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Guest-DynamicMemory-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.469.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ObjectModel.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\Microsoft.Data.Entity.Build.Tasks.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-ui-networkuxcontroller_31bf3856ad364e35_10.0.22000.37_none_c161361bf1d79027.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..access-userdataapis_31bf3856ad364e35_10.0.22000.41_none_ec1d56b3dd0434a4.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_windows-containeros..oyment-languagepack_31bf3856ad364e35_10.0.22000.184_en-us_86a95ee62b0753ee.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-NanoServer-Package-Wrapper~31bf3856ad364e35~amd64~sk-SK~10.0.22000.184.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~fi-FI~10.0.22000.184.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-Package~31bf3856ad364e35~amd64~eu-ES~10.0.22000.41.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Biometrics-FaceRecognition-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package-Wrapper~31bf3856ad364e35~amd64~sr-Latn-RS~10.0.22000.184.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.37.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\INF\mf.inf | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationCore.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-taskbar-dll.resources_31bf3856ad364e35_10.0.22000.184_ar-sa_8b9cc67dbb80c384.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\ImmersiveControlPanel\SystemSettings.exe.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmarn.inf | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\SMDiagnostics.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-diag_31bf3856ad364e35_10.0.22000.71_none_95c097b2f915eab1.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-merged-Package~31bf3856ad364e35~amd64~hu-HU~10.0.22000.184.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\sv-SE\bootmgr.efi.mui | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Cursors\help_r.cur | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja-JP\WorkflowServiceHostPerformanceCounters.dll.mui | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_zh-cn_17970edfa828c1ec.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~~10.0.22000.434.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~zh-TW~10.0.22000.282.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.OracleClient.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Hyper-V-WinPE-Drivers-Package~31bf3856ad364e35~amd64~lv-LV~10.0.22000.469.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\rescache\_merged\771651726\3578953693.pri | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~es-MX~10.0.22000.184.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~nb-NO~10.0.22000.469.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.DataSetExtensions.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\PLA\Reports\it-IT\Report.System.Configuration.xml | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\schemas\EAPHost\baseeapconnectionpropertiesv1.xsd | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..em-ppipro.resources_31bf3856ad364e35_10.0.22000.493_sr-..-rs_931a79bdde7839d7.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_bg-bg_1f3acc0fdbecd99c.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-ActiveDirectory-DS-LDS-Tools-FoD-merged-Package~31bf3856ad364e35~amd64~fi-FI~10.0.22000.120.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\INF\netwew01.inf | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_fr-ca_570d54aa5f752ec7.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dictionaries-danish_31bf3856ad364e35_10.0.22000.348_none_857b15025745f7b9.manifest | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~ca-ES~10.0.22000.37.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Client-Manager-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.37.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Vpci-VirtualDevice-Gpup-Package~31bf3856ad364e35~amd64~~10.0.22000.434.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\en-US\DistributedLinkTracking.adml | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Hypervisor-API-Package~31bf3856ad364e35~amd64~~10.0.22000.71.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package-Wrapper~31bf3856ad364e35~amd64~sv-SE~10.0.22000.184.cat | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Configuration.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Xaml.Hosting.resources.dll | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| File opened for modification | C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~eu-es~1.0.mum | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
| N/A | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\FontreviewwincommonSvc\Bridgesurrogate.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2292 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2292 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2892 wrote to memory of 444 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2892 wrote to memory of 444 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2892 wrote to memory of 444 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 444 wrote to memory of 2852 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\FontreviewwincommonSvc\Bridgesurrogate.exe |
| PID 444 wrote to memory of 2852 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\FontreviewwincommonSvc\Bridgesurrogate.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\FontreviewwincommonSvc\Y0CpU.bat" "
C:\FontreviewwincommonSvc\Bridgesurrogate.exe
"C:\FontreviewwincommonSvc\Bridgesurrogate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | serveo.net | udp |
| DE | 138.68.79.95:9999 | serveo.net | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 95.79.68.138.in-addr.arpa | udp |
| DE | 138.68.79.95:9999 | serveo.net | tcp |
Files
C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe
| MD5 | 0eab06ef6873fb013c9f2babf77657cb |
| SHA1 | d0a76df0228e4ce0d5d4a013f54610ebb39d3a90 |
| SHA256 | 641cb6fb5f209f0782ed6ce495fec7fbc2a4dad802e0d86ea2539f9e7280c1f1 |
| SHA512 | b596159b85d0e147eb845bd9a6a26ae58391845100200aeacaa658eb239183fa18589319fe8644a87eac740aaed0ba79861309bc54f5498bdbb9d31520b432fe |
C:\FontreviewwincommonSvc\Y0CpU.bat
| MD5 | 7847aa1435648c93f0af222aa269b12b |
| SHA1 | 445fdd35740aada074adc4596e0cde2449865b60 |
| SHA256 | 70a6c507c444bb21691fed477053006d8ab4e490aaa514de83b46193989816ef |
| SHA512 | 3c1b9d9b7f1b2f48bbca67e7175411d6b02dab55b523e357ca4b47500cc64e3481ffcb2b9c1e3ca3275f9e3673625043d0ba20ee1c82d4935a75d226b800c95d |
C:\FontreviewwincommonSvc\Bridgesurrogate.exe
| MD5 | 925278f34e704b81d9a837d26a72657b |
| SHA1 | 404bb676c8298adc01e660ba763fbf6ec08137e8 |
| SHA256 | 2a26a9cf56694281786fb8e35863ac7a5f607301bbb72eef7e06e95c7e23f50d |
| SHA512 | 608a6d3456e194d918992817d2c57d97ea1758b251d4e1f4e4b9ecc375e2de6d08de2a6495ebcb7ba825eb172e862119b222006733381e1ce246e251dfd55fd7 |
memory/2852-12-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp
memory/2852-13-0x00000000004D0000-0x00000000005A6000-memory.dmp
memory/2852-16-0x000000001B3B0000-0x000000001B3BD000-memory.dmp
memory/2852-15-0x000000001B230000-0x000000001B239000-memory.dmp
memory/2852-14-0x000000001C030000-0x000000001C076000-memory.dmp
memory/2852-19-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp
memory/2852-18-0x000000001B3C0000-0x000000001B3CB000-memory.dmp
memory/2852-17-0x000000001C080000-0x000000001C09E000-memory.dmp