Malware Analysis Report

2025-06-16 00:52

Sample ID 241105-z1vfksydjg
Target test.exe
SHA256 de577ab25710e06a94efa8f9b0b2f425377cb8df68c5068ce65204ee5b28a067
Tags
rat dcrat discovery infostealer credential_access spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de577ab25710e06a94efa8f9b0b2f425377cb8df68c5068ce65204ee5b28a067

Threat Level: Known bad

The file test.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery infostealer credential_access spyware stealer

DcRat

DCRat payload

Dcrat family

DCRat payload

Credentials from Password Stores: Windows Credential Manager

Executes dropped EXE

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 21:11

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 21:11

Reported

2024-11-05 21:13

Platform

win10v2004-20241007-en

Max time kernel

68s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WScript.exe
PID 4936 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WScript.exe
PID 4936 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WScript.exe
PID 3608 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\FontreviewwincommonSvc\Bridgesurrogate.exe
PID 3700 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\FontreviewwincommonSvc\Bridgesurrogate.exe
PID 3600 wrote to memory of 1196 N/A C:\FontreviewwincommonSvc\Bridgesurrogate.exe C:\Windows\System32\cmd.exe
PID 3600 wrote to memory of 1196 N/A C:\FontreviewwincommonSvc\Bridgesurrogate.exe C:\Windows\System32\cmd.exe
PID 1196 wrote to memory of 4484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1196 wrote to memory of 4484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1196 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1196 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1196 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1196 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1196 wrote to memory of 4100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1196 wrote to memory of 4100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\FontreviewwincommonSvc\Y0CpU.bat" "

C:\FontreviewwincommonSvc\Bridgesurrogate.exe

"C:\FontreviewwincommonSvc\Bridgesurrogate.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /f /im crss.exe & taskkill /f /im wininit.exe & taskkill /f /im winlogon.exe & taskkill /f /im svchost.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im crss.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im winlogon.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 serveo.net udp
DE 138.68.79.95:9999 serveo.net tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
DE 138.68.79.95:9999 serveo.net tcp
US 8.8.8.8:53 95.79.68.138.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp

Files

C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe

MD5 0eab06ef6873fb013c9f2babf77657cb
SHA1 d0a76df0228e4ce0d5d4a013f54610ebb39d3a90
SHA256 641cb6fb5f209f0782ed6ce495fec7fbc2a4dad802e0d86ea2539f9e7280c1f1
SHA512 b596159b85d0e147eb845bd9a6a26ae58391845100200aeacaa658eb239183fa18589319fe8644a87eac740aaed0ba79861309bc54f5498bdbb9d31520b432fe

C:\FontreviewwincommonSvc\Y0CpU.bat

MD5 7847aa1435648c93f0af222aa269b12b
SHA1 445fdd35740aada074adc4596e0cde2449865b60
SHA256 70a6c507c444bb21691fed477053006d8ab4e490aaa514de83b46193989816ef
SHA512 3c1b9d9b7f1b2f48bbca67e7175411d6b02dab55b523e357ca4b47500cc64e3481ffcb2b9c1e3ca3275f9e3673625043d0ba20ee1c82d4935a75d226b800c95d

C:\FontreviewwincommonSvc\Bridgesurrogate.exe

MD5 925278f34e704b81d9a837d26a72657b
SHA1 404bb676c8298adc01e660ba763fbf6ec08137e8
SHA256 2a26a9cf56694281786fb8e35863ac7a5f607301bbb72eef7e06e95c7e23f50d
SHA512 608a6d3456e194d918992817d2c57d97ea1758b251d4e1f4e4b9ecc375e2de6d08de2a6495ebcb7ba825eb172e862119b222006733381e1ce246e251dfd55fd7

memory/3600-12-0x00007FF93B260000-0x00007FF93B2FD000-memory.dmp

memory/3600-13-0x00000000004F0000-0x00000000005C6000-memory.dmp

memory/3600-14-0x0000000002750000-0x0000000002796000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 21:11

Reported

2024-11-05 21:13

Platform

win11-20241007-en

Max time kernel

60s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-125.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsStoreLogo.scale-100_contrast-white.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-32.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-400.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_contrast-white.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSplashScreen.contrast-black_scale-125.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\NotepadSmallTile.scale-125.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\KeywordSpotters\de-DE\Cortana.bin C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCard.types.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\DashboardLib\WebView2Loader.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-100.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-20_altform-lightunplated.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-72_altform-unplated_contrast-white.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-100.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.TerminalConnection.winmd C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\colors\FluentColors.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\warn.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\LargeTile.scale-200.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.Devices.Custom.CustomDeviceContract.winmd C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\safeRequestAnimationFrame.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\IAnimationStyles.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.scale-100_contrast-white.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-16_altform-lightunplated.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\IRenderFunction.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Sticky.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardImage.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\setPortalAttribute.js C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-125.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-36.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\Square44x44Logo.targetsize-24.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-200.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\LensSDK\Assets\EnsoUI\dashboard_slomo_OFF.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-lightunplated.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Wide.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.scale-200_contrast-white.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_AutumnLeaves_Thumbnail.jpg C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200_contrast-black.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-72_contrast-white.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SuccessControl.xaml C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-125.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Xml.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesMedTile.scale-200_contrast-black.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare71x71Logo.scale-100.png C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\system.Resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.22000.434_pt-br_83a272a288814d50.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.22000.469_en-us_150abcceef0c80ce.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.184.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.184.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Clipboard-Package~31bf3856ad364e35~amd64~~10.0.22000.282.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Activities.Core.Presentation.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..oem-coren.resources_31bf3856ad364e35_10.0.22000.493_ca-es_e415ba079232652c.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-hta-package-o..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_et-ee_a849ae95257bc8d1.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\INF\c_sdhost.inf C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\INF\ESENT\0409\esentprf.ini C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Activities.Core.Presentation.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Guest-DynamicMemory-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.469.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ObjectModel.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\Microsoft.Data.Entity.Build.Tasks.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-ui-networkuxcontroller_31bf3856ad364e35_10.0.22000.37_none_c161361bf1d79027.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..access-userdataapis_31bf3856ad364e35_10.0.22000.41_none_ec1d56b3dd0434a4.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_windows-containeros..oyment-languagepack_31bf3856ad364e35_10.0.22000.184_en-us_86a95ee62b0753ee.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-NanoServer-Package-Wrapper~31bf3856ad364e35~amd64~sk-SK~10.0.22000.184.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~fi-FI~10.0.22000.184.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-Package~31bf3856ad364e35~amd64~eu-ES~10.0.22000.41.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Biometrics-FaceRecognition-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package-Wrapper~31bf3856ad364e35~amd64~sr-Latn-RS~10.0.22000.184.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.37.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\INF\mf.inf C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationCore.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-taskbar-dll.resources_31bf3856ad364e35_10.0.22000.184_ar-sa_8b9cc67dbb80c384.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\SystemSettings.exe.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\INF\mdmarn.inf C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\SMDiagnostics.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-remoteassistance-diag_31bf3856ad364e35_10.0.22000.71_none_95c097b2f915eab1.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-merged-Package~31bf3856ad364e35~amd64~hu-HU~10.0.22000.184.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Boot\EFI\sv-SE\bootmgr.efi.mui C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Cursors\help_r.cur C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja-JP\WorkflowServiceHostPerformanceCounters.dll.mui C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_zh-cn_17970edfa828c1ec.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~~10.0.22000.434.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~zh-TW~10.0.22000.282.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.OracleClient.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Hyper-V-WinPE-Drivers-Package~31bf3856ad364e35~amd64~lv-LV~10.0.22000.469.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\rescache\_merged\771651726\3578953693.pri C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~es-MX~10.0.22000.184.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~nb-NO~10.0.22000.469.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Data.DataSetExtensions.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Configuration.xml C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\schemas\EAPHost\baseeapconnectionpropertiesv1.xsd C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..em-ppipro.resources_31bf3856ad364e35_10.0.22000.493_sr-..-rs_931a79bdde7839d7.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_bg-bg_1f3acc0fdbecd99c.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-ActiveDirectory-DS-LDS-Tools-FoD-merged-Package~31bf3856ad364e35~amd64~fi-FI~10.0.22000.120.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\INF\netwew01.inf C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_fr-ca_570d54aa5f752ec7.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dictionaries-danish_31bf3856ad364e35_10.0.22000.348_none_857b15025745f7b9.manifest C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~ca-ES~10.0.22000.37.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Client-Manager-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.37.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Vpci-VirtualDevice-Gpup-Package~31bf3856ad364e35~amd64~~10.0.22000.434.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\en-US\DistributedLinkTracking.adml C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Hypervisor-API-Package~31bf3856ad364e35~amd64~~10.0.22000.71.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package-Wrapper~31bf3856ad364e35~amd64~sv-SE~10.0.22000.184.cat C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Configuration.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.Xaml.Hosting.resources.dll C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~eu-es~1.0.mum C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\FontreviewwincommonSvc\Bridgesurrogate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\FontreviewwincommonSvc\Y0CpU.bat" "

C:\FontreviewwincommonSvc\Bridgesurrogate.exe

"C:\FontreviewwincommonSvc\Bridgesurrogate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 serveo.net udp
DE 138.68.79.95:9999 serveo.net tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 95.79.68.138.in-addr.arpa udp
DE 138.68.79.95:9999 serveo.net tcp

Files

C:\FontreviewwincommonSvc\JucJWzXGoLiqIkOEBNnKfvrb0.vbe

MD5 0eab06ef6873fb013c9f2babf77657cb
SHA1 d0a76df0228e4ce0d5d4a013f54610ebb39d3a90
SHA256 641cb6fb5f209f0782ed6ce495fec7fbc2a4dad802e0d86ea2539f9e7280c1f1
SHA512 b596159b85d0e147eb845bd9a6a26ae58391845100200aeacaa658eb239183fa18589319fe8644a87eac740aaed0ba79861309bc54f5498bdbb9d31520b432fe

C:\FontreviewwincommonSvc\Y0CpU.bat

MD5 7847aa1435648c93f0af222aa269b12b
SHA1 445fdd35740aada074adc4596e0cde2449865b60
SHA256 70a6c507c444bb21691fed477053006d8ab4e490aaa514de83b46193989816ef
SHA512 3c1b9d9b7f1b2f48bbca67e7175411d6b02dab55b523e357ca4b47500cc64e3481ffcb2b9c1e3ca3275f9e3673625043d0ba20ee1c82d4935a75d226b800c95d

C:\FontreviewwincommonSvc\Bridgesurrogate.exe

MD5 925278f34e704b81d9a837d26a72657b
SHA1 404bb676c8298adc01e660ba763fbf6ec08137e8
SHA256 2a26a9cf56694281786fb8e35863ac7a5f607301bbb72eef7e06e95c7e23f50d
SHA512 608a6d3456e194d918992817d2c57d97ea1758b251d4e1f4e4b9ecc375e2de6d08de2a6495ebcb7ba825eb172e862119b222006733381e1ce246e251dfd55fd7

memory/2852-12-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp

memory/2852-13-0x00000000004D0000-0x00000000005A6000-memory.dmp

memory/2852-16-0x000000001B3B0000-0x000000001B3BD000-memory.dmp

memory/2852-15-0x000000001B230000-0x000000001B239000-memory.dmp

memory/2852-14-0x000000001C030000-0x000000001C076000-memory.dmp

memory/2852-19-0x00007FF9F68C3000-0x00007FF9F68C5000-memory.dmp

memory/2852-18-0x000000001B3C0000-0x000000001B3CB000-memory.dmp

memory/2852-17-0x000000001C080000-0x000000001C09E000-memory.dmp