Analysis
-
max time kernel
1784s -
max time network
1783s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
30/04/2024, 20:32
General
-
Target
Neverlose.cc Crack.exe
-
Size
4.6MB
-
MD5
cb2be30171f2abcd864d4afbce7cbf4a
-
SHA1
9b9328b84ca32f6026430b98390e718d971c82ed
-
SHA256
de7598261915dd8568f29b70b0a122daf90a086bb2a4d976474f4873b55949bc
-
SHA512
935fca6c2e7de61a257bb225097308dc243f4cfd470ac70a80ab319c4af0ae5dbcd893fdd3d3558bcebbf7fb129cc96dfdf054b649d44c6be15f5267be73710c
-
SSDEEP
98304:l2wqFuVDp+YL9l5LPDj2VWnPt1Igxrgjc0iXs/oMoaq9l44R0:0wuudpZL9l5LPkw11InWp47
Score
10/10
Malware Config
Signatures
-
DcRat 47 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 15 IoCs
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 64 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 30 IoCs
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"1⤵
- DcRat
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"5⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\PLA\Reports\es-ES\csrss.exe"C:\Windows\PLA\Reports\es-ES\csrss.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2fd54ff-f9bc-4a01-92b4-6e135d66e91a.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa34b3ca-14b5-4932-b769-228f6460395e.vbs"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01b92e7a-d915-44af-91b0-ee84939c51f9.vbs"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe12⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c10917e-9d7d-437b-b902-6e78ee7ef233.vbs"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ef991a4-f9e5-45a8-81e0-a4a4dc8dcb36.vbs"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8094a1f-5ae1-4402-bdc1-2b27e39dd1d1.vbs"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c47be6f-6254-4593-9b6d-36895b614dc1.vbs"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ab07c1c-4bc9-4f2b-b96f-1204e9e272b9.vbs"21⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a460592f-d73e-4286-a497-68f394a90f54.vbs"23⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe24⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e8fcbe9-a02e-4ef0-bcd7-4850535dfb85.vbs"25⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6558525c-8502-447c-9d54-e15dadc2cd12.vbs"27⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\238c7ef1-c222-4f0d-9ca4-f23ab9607e91.vbs"29⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe30⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\682b3949-c7aa-4f83-ad50-0cbac065bf05.vbs"31⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe32⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c1b07b6-b6af-49dd-a08e-a232899f4aa6.vbs"33⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\929b055e-f1eb-4557-a8ce-b5e2908043f3.vbs"35⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe36⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c770c8cc-5bbd-4f70-a4f2-5f6af10f9883.vbs"37⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe38⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa82123e-329d-4b7a-9ee2-dc7696de65a9.vbs"39⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe40⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c1cd451-d852-4098-9e2c-ac873dffc23b.vbs"41⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dd06ce1-166b-49d7-b64a-6465d29d56cd.vbs"43⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40d56e53-2aaa-4b39-becd-c6228df81f20.vbs"45⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe46⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6118ac3-9217-47d5-b94b-74e81a28bef8.vbs"47⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e05001e-8c52-4d26-9a7f-5076bb03afae.vbs"49⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce14896-4327-4b56-b328-85a432a472a2.vbs"51⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d4135d-dbf4-4ef5-89ea-b3678118c71d.vbs"53⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\209fb0de-2011-45ea-9f3e-cb973f263e1e.vbs"55⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d27a4f24-c588-4efa-bfb2-4ec4f3dc31bc.vbs"55⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb60bf7-3bcf-428e-81af-91b8db40e302.vbs"53⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\464631a7-24a9-4916-97d8-c5cd10c45d2b.vbs"51⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7304f99-2503-4c8d-b245-a383c4f95054.vbs"49⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b0e70fc-36f4-4dcb-99b0-cb201cddd7fd.vbs"47⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54454130-1dda-441d-94eb-062a217d462e.vbs"45⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7da55bf-24f4-4ced-909d-dbc0ff927a44.vbs"43⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f59bee5b-32f9-4461-ae03-4d048ccab861.vbs"41⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45977da2-c8ad-47ce-92f8-924e55b0fee9.vbs"39⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46c7f2b1-e078-4200-b0c7-4fa53a94697b.vbs"37⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48cd50cc-e18e-4ff9-9e46-b41ad1a0bf2a.vbs"35⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b45beb2-ea1d-4799-870a-98aa3646a01d.vbs"33⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bc383e3-7da0-4ec6-b374-a6414c823ce0.vbs"31⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a3ea3e2-8f2f-4f0e-9538-d89d9804636b.vbs"29⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\672d4ef4-e3e6-46d9-ba6f-37a12a7e4ac0.vbs"27⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fc6b744-85b9-4887-9ed1-ab0331882be7.vbs"25⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcc62afa-ca37-41e0-95df-82b73dc7ff2b.vbs"23⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c90f122-21e6-4c45-8864-0621383f3883.vbs"21⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c49ad22-f383-430b-ac3b-0a5ab81f9079.vbs"19⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4af765d0-9b6e-4dba-a22b-6925b003654f.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80727749-57b8-4b7b-82e3-2dd8fc02698c.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d29e5aa5-5ed3-4634-8a18-09c3f9912c97.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eacd35d8-cc36-4bc6-92e4-e89aec57a9cb.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\405b6528-df44-4021-a024-124648d8aa7c.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\990b6242-08f5-4930-bd08-e74127514060.vbs"7⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exe"C:\Users\Admin\AppData\Local\Temp\AimStar.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\System32\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\es-ES\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\DISM\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DISM\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\es-ES\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Reports\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Bridgeserverintocommon\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Bridgeserverintocommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Bridgeserverintocommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8964b3b2-fa31-4017-87e4-0c9813be4c2e.vbs"2⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e05d3ea-b422-4bad-a4d2-1ba5201a1cbc.vbs"4⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd92009a-fdd6-4689-b9be-cd95ae22d57e.vbs"6⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5df070a0-6305-43a1-a6d0-e7481556e500.vbs"8⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\001e6c8f-242d-4b8e-9369-bf8d9f0fe957.vbs"10⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ad473d-2430-433d-aeda-c441c141f891.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5f6c5de-96b2-4bc7-a1da-7ed5a8a4c7b9.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbebdfa8-75d7-4cd5-9d0d-1ff347428901.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6863775f-1a3c-486a-952c-2f9e99de2bd6.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae2bb270-2e77-4cb1-b89f-4ec8f77bb876.vbs"2⤵
-
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18ce19e4-5507-49e9-9043-e3dcf2fe6b8c.vbs"2⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fe57804-74c3-46df-9a69-5df7e7fdd91a.vbs"4⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23e291e2-bf1f-4f62-9147-8ae10feba288.vbs"6⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3afbcf8b-084f-4a82-a005-4d2d947f4da7.vbs"8⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4139c900-c087-4c0a-a7ed-963afe01eb32.vbs"10⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdafe9dd-ce7e-4789-a105-228977bf0781.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d5f7eb2-4b79-4cf5-9eb4-369e24fb392d.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90a946f8-60dd-44be-a1c8-e182e670aa90.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca2a4429-5f1e-4b15-a170-14cc10779627.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa06a187-92ac-480b-8a28-cf398096fbcb.vbs"2⤵
-
-
C:\Users\Admin\Start Menu\winlogon.exe"C:\Users\Admin\Start Menu\winlogon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74e78a85-9c06-4592-94e8-af14a15af482.vbs"2⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa19e9b6-dced-475f-a26f-8a4678ee933f.vbs"4⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12ea4343-e3fa-48ec-938b-036d9f262709.vbs"6⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae46dab0-722e-4990-8a75-72fa636db3d5.vbs"8⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6a2ea8f-6939-43cc-bfb5-549126ef3f77.vbs"10⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ee1158-fe8e-49ec-adee-30714c5a15ba.vbs"12⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e678b0-e460-49da-8c63-29c76907fedf.vbs"14⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe15⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8607da9-9c7a-4a4b-aae2-4e787b0cc045.vbs"16⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b0d6da-4111-4bc5-85da-26bf501d0d43.vbs"18⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe19⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05b51146-206f-426b-83cd-a2663a200bda.vbs"20⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78eeac33-7d1c-4f68-b0eb-7e6f742cb14f.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02303e0f-bc93-47ae-b294-4ec41876207b.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8299829b-9530-48d1-921c-50c178c994b3.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62bf524e-817b-48a8-9c06-f37193f0e08a.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a208ce5-de41-4b6f-89ef-23579a588914.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1657a81-fe1d-4263-b9cb-7cff55e950d5.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7adffe42-820f-4c62-b480-241aeb577fbb.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\349d13f9-c467-43a1-b820-6698ac9c0d8c.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c5f124-ae00-4887-961b-f92354c7308e.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648a6df7-a9d3-4530-98d6-6ceb0e273ca3.vbs"2⤵
-
-
C:\Recovery\WindowsRE\spoolsv.exeC:\Recovery\WindowsRE\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\dotnet\TextInputHost.exe"C:\Program Files\dotnet\TextInputHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\SppExtComObj.exeC:\Recovery\WindowsRE\SppExtComObj.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f619084b-f052-4dad-ab41-74fbd32afda7.vbs"2⤵
-
C:\Recovery\WindowsRE\SppExtComObj.exeC:\Recovery\WindowsRE\SppExtComObj.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26ab2c1b-8b97-4387-8ad5-7a5d21146674.vbs"4⤵
-
C:\Recovery\WindowsRE\SppExtComObj.exeC:\Recovery\WindowsRE\SppExtComObj.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f26d9197-b812-4407-a56e-d21467df1f7b.vbs"6⤵
-
C:\Recovery\WindowsRE\SppExtComObj.exeC:\Recovery\WindowsRE\SppExtComObj.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d320fed-d6e6-44b8-8580-e95bb17fdefa.vbs"8⤵
-
C:\Recovery\WindowsRE\SppExtComObj.exeC:\Recovery\WindowsRE\SppExtComObj.exe9⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bd6d1c1-adfd-4e00-877c-fed6b17048b3.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cfce032-d61f-4db5-a439-984b3a163482.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b3543c3-b412-462a-a625-fb77ea00d60f.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68cbda2f-4fe8-44cf-8055-3ffd952b9d49.vbs"2⤵
-
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07ef5806-b4e2-4af1-b12a-43da3abb611c.vbs"2⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe3⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4195dd-e016-4cd2-805f-648e0da88065.vbs"4⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe5⤵
- Checks computer location settings
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\755b1c8f-7154-4aba-aa12-40c6539b8f85.vbs"6⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe7⤵
- Checks computer location settings
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97c5d0d-b4ee-49cd-b51f-9cc8dc6cdf56.vbs"8⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe9⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06e3e0eb-036b-4460-adb8-eea32c27b4c9.vbs"10⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe11⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fc6d422-1c27-4692-8765-a41023c0e945.vbs"12⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe13⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd9b8f22-6599-4252-a055-e346656d0a0b.vbs"14⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe15⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75360afe-bd62-41b9-9333-9eed644baecb.vbs"16⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe17⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a95502d0-4742-466c-a27b-14544bec9681.vbs"18⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe19⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0a61699-9db2-4567-a454-98ae9af9e7cb.vbs"20⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe21⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00dc2006-4e36-4459-9f08-6efde214c586.vbs"22⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe23⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a87687e-b378-4b77-8cd0-e46e88c96ec3.vbs"24⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe25⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fb8fd41-0d38-4057-b900-0cbcb88aa712.vbs"26⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe27⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee7fc229-f6c6-4b6c-b885-64b570ff184c.vbs"28⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe29⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c43f75c5-54fc-4b8a-9744-4f6e484fa48f.vbs"30⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe31⤵
- Checks computer location settings
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b4d9dd-cbb3-4f29-b64c-0745a29e7502.vbs"32⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe33⤵
- Checks computer location settings
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a16da28a-1359-4daf-8109-54516b0653c2.vbs"34⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe35⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24bbc7e9-3d81-490d-92ce-f6ae857ad337.vbs"36⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe37⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\636fedfb-625e-45dd-acce-fa5bc54be3f8.vbs"38⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe39⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3c7a3ab-8cb4-4657-b0f0-838ea363f839.vbs"40⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe41⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e3fdfc-6e70-4d91-b5d7-b4f6b6c209b1.vbs"42⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe43⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2d65cce-9352-48fa-a3c1-e6fb74ddcea2.vbs"42⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71e3a0f-47c8-453c-817e-7338eada36f8.vbs"40⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cda052d6-13c4-4151-ae70-d058c3adeb3d.vbs"38⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8915819-06c5-4b79-ba0a-8b1ee9268f2b.vbs"36⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b71d5e28-d8b0-427e-b4cb-b9a9fbfc60a8.vbs"34⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6841c196-a5c8-4f60-b909-88981f170a3b.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735d153d-6f67-4502-be56-207b8b5dfd11.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5937da95-d09f-48e0-89a0-4baa50cd8d01.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab964c1-a092-443d-9d07-cee2ebf04bbd.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c4f1cb-9029-4c7f-9f47-cab59a172268.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86962a94-fcc7-4c0a-8628-fe8a0f97a2f4.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4e7cb22-70c4-4fea-a2e0-9039006745bb.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a138e7ee-ce30-4f70-a17b-ca105b5955bd.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c378fcd9-f5be-4546-8d1a-2ac6371b103b.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b419188c-f815-4873-a43f-8d08cd46e26d.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f6ca3e4-85bf-4c6f-a821-7ff5ead11eb6.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f74415e-39dd-49e7-936c-4b788dd8d4fc.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b19bae22-4ad2-423b-ae58-088aed48762e.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730e2af0-93cd-4602-844c-aa1396a1da42.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f31964ff-4446-4b81-804f-5e5f21f45465.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\602f776f-4d63-40c7-848e-b99633f64105.vbs"2⤵
-
-
C:\Users\Default\Templates\explorer.exeC:\Users\Default\Templates\explorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\RemotePackages\RemoteApps\unsecapp.exeC:\Windows\RemotePackages\RemoteApps\unsecapp.exe1⤵
-
C:\Windows\es-ES\sihost.exeC:\Windows\es-ES\sihost.exe1⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"1⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe1⤵
-
C:\Users\Admin\Start Menu\winlogon.exe"C:\Users\Admin\Start Menu\winlogon.exe"1⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe1⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2469017e-3d2c-4535-8232-b7bf401843d4.vbs"2⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe3⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a411c5b-224c-46ea-b63b-c923b8ffff75.vbs"4⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe5⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee05f99c-fb56-42e6-8190-a8a824d2d2d6.vbs"6⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe7⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b50ec96-7a1b-41ab-a175-6b8143bdbe68.vbs"8⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe9⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5cfb6a-c23d-43ed-a1a3-e5e380514fa2.vbs"10⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe11⤵
- UAC bypass
- Checks computer location settings
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83f131c1-f338-4370-9b08-13c2197f43d6.vbs"12⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe13⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d953d2-3cb9-4346-9198-1978a304eb0b.vbs"14⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe15⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73902134-2a9e-4f06-8637-53db6121cb52.vbs"16⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe17⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e260a578-ab65-412f-bc16-8200d4931a09.vbs"18⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe19⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03905b97-a154-4aa2-b132-3bc33757474e.vbs"20⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe21⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11fe2da3-88cb-48d9-8031-1ad0b55c876e.vbs"22⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe23⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1b1803-562d-4a74-b3be-90bdd3bf61a3.vbs"24⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe25⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc8ce0b6-9685-4488-99d9-082cf02f6aae.vbs"26⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe27⤵
- Checks computer location settings
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb14a02a-1e66-4a76-b90a-d95baa3ebbe6.vbs"28⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe29⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6cf8fca-933e-480e-af12-7e0a064b36e8.vbs"30⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe31⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b6d249-ec0f-40ce-bfb2-487792c03bd1.vbs"32⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe33⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b77098fa-dcd1-406d-9095-572b4cdf7431.vbs"34⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe35⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02879980-80a5-4a92-a853-2d049a8c0478.vbs"36⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe37⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83fe837b-1b1b-44f5-9ca3-6f2a615c63f7.vbs"38⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe39⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99309835-46d8-4631-8747-b9d02ed5532f.vbs"38⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fb6088c-aea6-4269-a652-2f19cbb61b7f.vbs"36⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e4162a-09e0-4c4c-aef5-c9f57592c6bf.vbs"34⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38fe4d6a-e793-4be8-b699-c671e97d0978.vbs"32⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8333a50a-01e9-440f-a6a9-7b8e4861723a.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f4fd15-253e-40e3-a6ac-6a9b2fe09a3a.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0aee26b-2b51-41a0-bc33-c46a9345009b.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07fc5991-54b3-4414-9399-5c071fdb3a3c.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f305a5a3-c58b-45a5-89fc-abf34240a105.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76990e5a-271f-4814-b243-fff9581820fa.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c75bf928-decb-4eaf-b76f-b2e48b1e1c3c.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66c5c1fd-27bc-4f81-a160-b4103af39aea.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cc4e3b9-4286-49be-b14b-73464f9731b2.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\895088f0-06cc-4030-86f5-fa5a0f93736a.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e640c294-17b8-430b-9c31-cac8e0660885.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6962cadf-df07-4b8f-b61e-d8332df7e343.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b44a889d-312a-4411-931b-d8fabfe9610f.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\469a7d4a-ce81-474f-a234-6084910d1cde.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93e099ae-d52a-4651-9b55-8b7e18f6229c.vbs"2⤵
-
-
C:\Recovery\WindowsRE\spoolsv.exeC:\Recovery\WindowsRE\spoolsv.exe1⤵
-
C:\Program Files\dotnet\TextInputHost.exe"C:\Program Files\dotnet\TextInputHost.exe"1⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe1⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a233af9e-ddab-49ea-ab7f-21139b11cfba.vbs"2⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"3⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\940a965f-2b99-4a27-9f41-4ac585274811.vbs"4⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"5⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac3ac04-c5e5-4a56-9fe8-8a1ba7c8df57.vbs"6⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"7⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89690e0b-d6b4-447a-aeca-5f2d79500266.vbs"8⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"9⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35b6be17-2924-4631-b89e-f41acedd24e3.vbs"10⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"11⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\138bb748-76ba-4e58-92ee-b0ce42b9cfb8.vbs"12⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"13⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f41c649c-947b-4ba1-8028-78873b394ca6.vbs"14⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"15⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13f75fe7-82ad-45c0-9b8b-7540e2952223.vbs"16⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"17⤵
- Checks computer location settings
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25197220-f12a-497c-a5ac-d1f4b3ac3e3d.vbs"18⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"19⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f82b480-f869-4785-8ed5-4445d38c0761.vbs"20⤵
-
C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe"21⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8631a440-983a-4b07-b404-927e7ca34950.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\160f1bdf-53f8-4b9f-9121-fcea3e312d13.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a43f8e8-695c-480d-9cdc-a86a966c6450.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa9dfe00-c091-44b3-8618-958362133cc7.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dddd509-a55a-4621-bf9a-fb89a769a969.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48e386f8-46e0-4d81-a48e-a511fe42c0b8.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2680effc-c20a-41ca-a709-9214d1f3d684.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4adb9c30-5062-41bb-94bb-78c3b400d46d.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29b99cb1-a0eb-41cd-9b85-37cc123fac07.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d5dc775-f5aa-4193-b632-29d7f2d5b530.vbs"2⤵
-
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe1⤵
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe1⤵
-
C:\Recovery\WindowsRE\SppExtComObj.exeC:\Recovery\WindowsRE\SppExtComObj.exe1⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d8e2f3d-bebe-4c41-8319-5d862c75c43d.vbs"2⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"3⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e27c79ed-8cff-4b33-90c9-375a3298bb9c.vbs"4⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"5⤵
- Checks computer location settings
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd5ae639-f544-4fcd-97c4-10c4a2f3b0d4.vbs"6⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"7⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6aef5f3-81e0-417f-a93e-80a8bb6bae12.vbs"8⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"9⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00ce1601-b72e-4f56-9bac-7dd844093a80.vbs"10⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"11⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd736524-b573-41b0-9a15-f8d44d2c8b57.vbs"12⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"13⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c1df93c-feaf-4e78-a12f-546d7aafaae6.vbs"14⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"15⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de041581-d5ed-47bf-878c-f3b27691f4f1.vbs"16⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"17⤵
- UAC bypass
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53be1965-f49a-4058-9f8e-d4290ffef240.vbs"18⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"19⤵
- UAC bypass
- Checks computer location settings
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0abb41b5-86ba-4f62-bd47-480161ec880b.vbs"20⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"21⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2357b73-ba69-4abe-9d3b-bce959553c1a.vbs"22⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"23⤵
- Checks computer location settings
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e770e9fe-ad50-4223-a622-cac95a991d1b.vbs"24⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"25⤵
- Checks computer location settings
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee436caf-364a-4d47-9740-8ea0514ae49f.vbs"26⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"27⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09cf315d-6a2c-48f6-8313-47a45a895ccc.vbs"28⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"29⤵
- UAC bypass
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a932fe-a126-42b5-aa76-38400fec74bf.vbs"30⤵
-
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"C:\Program Files\Windows Portable Devices\RuntimeBroker.exe"31⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4be1ae50-6f99-42e3-8bd7-2c12ae373784.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6786564-f013-486c-b129-6d23e6be7d49.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71115525-c876-4a68-ae6a-2ff8b390cd3e.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbd415fd-6731-441d-a63e-3abf2ffc1261.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\689ebeaf-0c12-41c7-8510-ea4e154ebd6c.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04663ad3-d62d-46ea-95cf-5f8b38d40f18.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49258f80-e164-40d8-ac83-542aae1f1104.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b326361f-a545-498f-a108-b742d7941f31.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\048387cf-993c-4a6e-9ffe-13bc979e8e6d.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad760a95-1c75-4227-b7fd-03bb4de053cc.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1765b23d-ae12-4861-9de0-cc7f30ad9be8.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba66ad1-c6e3-4854-8e46-dbe4661238f0.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5cab811-19b6-4969-9633-3e3725b87c2e.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f58846a-55de-44a2-9250-d1205ccdf452.vbs"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ed4b2c5-d28a-4684-a4b5-3e6ede28dd12.vbs"2⤵
-
-
C:\Users\Admin\Start Menu\winlogon.exe"C:\Users\Admin\Start Menu\winlogon.exe"1⤵
-
C:\Users\Default\Templates\explorer.exeC:\Users\Default\Templates\explorer.exe1⤵
-
C:\Bridgeserverintocommon\fontdrvhost.exeC:\Bridgeserverintocommon\fontdrvhost.exe1⤵
-
C:\Windows\RemotePackages\RemoteApps\unsecapp.exeC:\Windows\RemotePackages\RemoteApps\unsecapp.exe1⤵
-
C:\Windows\es-ES\sihost.exeC:\Windows\es-ES\sihost.exe1⤵
-
C:\Windows\Logs\DISM\Idle.exeC:\Windows\Logs\DISM\Idle.exe1⤵
-
C:\Windows\PLA\Reports\es-ES\csrss.exeC:\Windows\PLA\Reports\es-ES\csrss.exe1⤵
-
C:\Recovery\WindowsRE\spoolsv.exeC:\Recovery\WindowsRE\spoolsv.exe1⤵
-
C:\Program Files\dotnet\TextInputHost.exe"C:\Program Files\dotnet\TextInputHost.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD59005984f23c241ae6504691edad99db9
SHA150ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff
-
Filesize
227B
MD58ad651de9eab5382f5aeb6e0a38e22bc
SHA1c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA5126fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
3.4MB
MD534f09d31d624cddea4794d6b60fb342a
SHA121dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
714B
MD530fa39ba2ac5721841fa2f5ed551c8a0
SHA1ba0fcaf7bb7bff61c673d30da2b6e448f069b0b6
SHA2560cd16b8eea1d9f2f0e8a6380fe0fdd7a315bc75b3c16e8c3c02d74be80111dca
SHA512fb0bde1bae2f87c6994e425a2075960f02d45fb226f529f5bd3805bc04885b5ebfcae297c082bbf9aa095c2f162616df0e114a4e076256a94866f4e5aa4b9e61
-
Filesize
717B
MD56a2eec7945e793e7237605d607da1f9b
SHA14cb3d9b1f9031c9df6f846c950f7f5ff54cfe8f0
SHA256c6ca2cafdde8ea4772c1d36f099f7f429699553969354d5c3c6f462c2f80bbc4
SHA5124d0c9d97e5a6cce23c9f4d34673bbe3a461de9f13c50c97b9eadd21cc8e5dcb43871d088ee1d0b24751b733c99b76e618e3c2f3d79c696e898dfb144fa6056bf
-
Filesize
714B
MD5a629bc34c5dbdd5379d3c4200b06bf0e
SHA1a17cbd082ac1e78a99717cdfa951265d516af566
SHA2567319f62ea1be22aa7e1127b99dcedbab62f73c89a0a838a69440e2ff9c444a9b
SHA51268c5de8e591d5f02497e285f879a442da4eeb37eac0a2e36cbb8a8749b5760767519fe80326271cf4e3183205b16077551df2c5963cae4d4060c45c87b8d5dcc
-
Filesize
506B
MD5e5107dd88c4380bb388355d8514720f0
SHA1e1f242f2ee78456ac427d44cd8d61af095d6818f
SHA256a132cc3c78234ca0b2ad9bfc0fa1bf0931ac46655ab0237eabf1df7a8601050b
SHA512442a2e86c8bc783e27c13ed3ddfacccd4746bf4dfff6aebbdfa5e237d481520963fdec0c4e075dd3bb4a659cac14c909f1797658ee941a531e6ac93aa585cab4
-
Filesize
714B
MD5c58e0149aa5e02ee32f2218595ceae04
SHA10a8eee9acebec159f2979fd52529f7e998a9264f
SHA256975483e77d815a695604516279f117e5eb079c9e2e362985b9eb333c26a115f6
SHA512fb08fd05332b07a1642e5ae8cad71c4723a6eb2114143981c37b3530b97a0557469fa88759a1c8e08a6dfb895023e987bd2bd71a56d8e7b812cc2562a4d124ef
-
Filesize
714B
MD5997c694ed67a75ec71cb8a8fe2c562f7
SHA139f8ce958c8ff2868479e37871470446f5c93e2d
SHA256626e92fd0298877903c7b4b53c5b986f518610685398af71034edbf053056835
SHA512efe9cdba37765381dae6a2fc50aab76748e13388d492bd7938503ac9a92e2a538e7d7dfa1e3ba34b9cd2d1858d3362e67223365c6289cbb75e29a4f77846a5d6
-
Filesize
714B
MD576edd22b929e2b88d875369716008a44
SHA1a70cad949754d96ca640ecf7b6a5bcc4bf1855fb
SHA2569f9f251522b29c3f1be3b464038972b4532eae5848724b3b7d26ac6ed2c3eb48
SHA5127c3bdcc1da27dd5fa6dd6fbd37cc4d8e930ef77c9bd74ce214c365230b25f6f6df7b290e1f969febe846347bd5bfd880c75906cd87be0b9bfb60576641e29f61
-
Filesize
714B
MD5a8444c07b3b8bf9b919a5192d108a25d
SHA1e0061224fd4c0b868a0c39c285359caa70659d18
SHA2561bb3ad670a6957cc03510ee10e4c428942727f0109accec26742b171c671f5b9
SHA512b4200c38740b93bc3be9f7652b2279955d0b042052e1bc27f61ad9a69ecb1db8abe7a34b9df5457aea5ef5dabc06e6288f3144288e191edef7c5f1d6eb88f5d3
-
Filesize
714B
MD519f096941d5313c6020a554d0341e38c
SHA100554110650e80acf4daa1bc751496d1b339ad5a
SHA256793aa9020bfb0b19d75ee9d4bb9e0fcf804c3557c13cfbac3a3ff079c948976b
SHA512c07dfb44b583d26302a3ff7bd73675d34b1b33815ad6b2d8c22341688d08e42e448d002efae882a7387b69912cad45fe313274e8c9e9a28dfa4e827e88caab4c
-
Filesize
714B
MD5334c78fb7554b59e927c3e49800f84e6
SHA12dc2d7c58a0114ce10a4ac109175a7d44be1d821
SHA25650c346e6366c427f2fea096a667ddc8b027dac41f30011d980173c6ba5d6c408
SHA5123dc1f8daffc5330aef0c951003fd976334cffbaa95ad8db97c18f5609fa4a82f46441dbc86574fccb9365c0c621380749ec0f5b7c63a1b591ee17a5d3428f865
-
Filesize
490B
MD535913113ac911e67a00ac0dd552e68df
SHA14316772f392f3fd9c81ef4e36929748367754dcd
SHA256e356307f50f84a6ee36250557b6ec36de44c6e5728cfcb6f075cd2cf68357807
SHA51258c0ff1a4d73dec5fe2ce6e37aeef8d2c515e7b5a1f47d69b7664f61e7eb60e1eef4e97392be26c01d1ccba81206f59acb120af8b07e46894906664394dcd93d
-
Filesize
490B
MD59d690b59b976d7d4df52a492dd774388
SHA18faa4952ef5da9018e84eafc4079e206b4d8f332
SHA25665b536478cc7d08d7eec19278f663ea515c58d9a6da9653802740580b88bfac4
SHA5120e37c411ec7ac8fd2faa6b19d10d624e6826978f8cbb9920b0851de34b64eb0a769e003feaa2e356a2e251850fbe93439ace559f06837c6e9a481f231b0f9766
-
Filesize
714B
MD53c3a22be6ae81a7d73b1fbe2269add35
SHA1dbae9964902b4ba11d7f2f470d540afb6fbe75e4
SHA256a75b7912b65334f6b8a90ded309b95489f771c65a3433eae2ac780a028ff3a20
SHA512cf83c7f37ed5db6730c69d399428c94c71f253167f8ab442ba05cbb167a16901491ba92213d92d71ad565d581f9415977233a97591f1b47a803a06f202d6ccaa
-
Filesize
2.2MB
MD561f4153bfff66366181c4102763763b6
SHA169e7786d66e718426321e2db61a6bafb3129b6a9
SHA256e785f907b24d5397d7dc19386dd8fcceb442395b67c023ab43f8aa9b0346c199
SHA512e98b2d49cd3e189e37670b937954e46b3c8f002dffb4bfcc764d8145acdd6b33042d408b05883cd8f3678382bb02ba58fc84e10273778307630c8ec49c24d4bb
-
Filesize
714B
MD55d58cec3ce29a539878979d383ad636f
SHA1c080f596fefcf44b7743e97e91cc46294d5af8d1
SHA2568e9eaafaf1a67cce162c02d5e06569cb9d1f2a79c6da154f723016eb0d90c609
SHA512a315c28457fa07fc14334142a896186a29bd669f592b823c44a838d7926915375bf9fff2552953e4e8d0d3277d462028da20821e1f15f6a22ecfbb5e39de3673
-
Filesize
481B
MD5498a76d6408a510dd016719c570cba47
SHA121c8ab9385f60155b48022c1789c3c16b6f3f3b1
SHA256ef0ce72af6dcb2930fd15bcfb95d07cd1e9dab7c2b04f8d1a3f67a92236dadc2
SHA5129145d968d304a3a954e95077d49f6ef29b26cce1d2e2a0072313b4c68b9a75f1b89241c86e3ca47ab073a3b5e6d8f2432169e86c73c56cec10c3325cfb8475b1
-
Filesize
511B
MD52f1a92659c70b3c81e820e4c5e86d07c
SHA181137225a204048c6d6d4b5b24daddcd63271c3e
SHA25650bede47ca6182f9b6ba10a61a6cf96eba06201bea627bbe9fd6d4a993c32e9c
SHA51267f19f6a58a345c9fc7f101dd20365f94d33ae330c4830f40ece15c9c72290717314dc7ae75df8710f02f85f923de0e58133fdd7b136585304a0fee96ca18105
-
Filesize
714B
MD51efe28926e7ce51d8618832dafcd177e
SHA1e24792b1dd24b2c26f83883c95ffe39331dd79e5
SHA2567e72b97356406d577a0900788b0f68cd1dc85282baf376b84e654ce60e71e578
SHA512ddc421a69f92739ffd05b5fc9bc05de3dca005b8c4f59817e468733e3db9f3455cf734d7676bebd470a9bc9078afb6ea28fb8909c2f679c980e4476b1048a13d
-
Filesize
3.7MB
MD53aff466445051bd93a7ea3ae519587ef
SHA1516c1e9da912f6d988146fb812d88bdc7b30588a
SHA25647f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
SHA5123870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
Filesize
493B
MD58543b45f7b3e9bfac90b9ddf973cf366
SHA1358023b9d546a5d1d67cce6e3efee4e598459bb0
SHA25615917c9f9d1cd1196e127ddde943dcc3ff3057b561933b49163bdd0087dc4f66
SHA51286e400cb66afd03d06a8fbbf31863b8760c877c4b34e901bdcc4592c5aa94c9edfb40c8f7f77731afa35f9cd0dbce1cf9cc8c901032c19bbd123a2d2a044920e
-
Filesize
714B
MD520a1c012516c33d6bbd3116df105c194
SHA1c66b8cdb17403e391319d7b0043c8d33e8eb954a
SHA2567bb585add57d7227d5fa89231c8bae10a11d65a83cbb95bc25582d68b430fc45
SHA512130f058847e70ae42b72d9ddadc579151de0a7c8a6296727b764d16d24641cd6bc98f63426acc53eb3b58165a3865fd171c13d8908f7c559d61386313517c500
-
Filesize
714B
MD509e6473fb1236c22efc8987acabfad4c
SHA1984972616296d8953905f76151b86576cff8180a
SHA256c7dbddd35404968766b8fd8c7ecca382633c3995bddc75e94996704b655a9934
SHA512769cdae8b6418b2b7c3db0bd83ee485e69f95a27d632ff5d739446c683227619b0beea3cdc6d30ae2f33838ef843138f80da88a93db731eab7107818967afe49
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
3.4MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
344KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
4.6MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
344KB