Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 20:33
Static task
static1
Behavioral task
behavioral1
Sample
Neverlose.cc Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Neverlose.cc Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Neverlose.cc Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Neverlose.cc Crack.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
Neverlose.cc Crack.exe
Resource
win11-20240419-en
General
-
Target
Neverlose.cc Crack.exe
-
Size
4.6MB
-
MD5
cb2be30171f2abcd864d4afbce7cbf4a
-
SHA1
9b9328b84ca32f6026430b98390e718d971c82ed
-
SHA256
de7598261915dd8568f29b70b0a122daf90a086bb2a4d976474f4873b55949bc
-
SHA512
935fca6c2e7de61a257bb225097308dc243f4cfd470ac70a80ab319c4af0ae5dbcd893fdd3d3558bcebbf7fb129cc96dfdf054b649d44c6be15f5267be73710c
-
SSDEEP
98304:l2wqFuVDp+YL9l5LPDj2VWnPt1Igxrgjc0iXs/oMoaq9l44R0:0wuudpZL9l5LPkw11InWp47
Malware Config
Signatures
-
DcRat 27 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5012 schtasks.exe 2368 schtasks.exe 1112 schtasks.exe 5096 schtasks.exe 3432 schtasks.exe 4672 schtasks.exe 2928 schtasks.exe 5076 schtasks.exe 4376 schtasks.exe 3636 schtasks.exe 2932 schtasks.exe 3344 schtasks.exe 3568 schtasks.exe 4640 schtasks.exe 4608 schtasks.exe 4412 schtasks.exe 4256 schtasks.exe 2328 schtasks.exe 1332 schtasks.exe 4636 schtasks.exe 4920 schtasks.exe 4352 schtasks.exe 3512 schtasks.exe 2644 schtasks.exe 4140 schtasks.exe 5072 schtasks.exe 5028 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 9 IoCs
Processes:
intobroker.exeintobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\Windows\\ModemLogs\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\Windows\\ModemLogs\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Bridgeserverintocommon\\SppExtComObj.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\Windows\\ModemLogs\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Bridgeserverintocommon\\SppExtComObj.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\da-DK\\backgroundTaskHost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Users\\All Users\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\Windows\\ModemLogs\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Bridgeserverintocommon\\SppExtComObj.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\Windows\\ModemLogs\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Bridgeserverintocommon\\SppExtComObj.exe\", \"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\da-DK\\backgroundTaskHost.exe\", \"C:\\Bridgeserverintocommon\\Idle.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Bridgeserverintocommon\\conhost.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\Windows\\ModemLogs\\dwm.exe\"" intobroker.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3344 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5012 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 2424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 2424 schtasks.exe -
Processes:
intobroker.exeintobroker.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\explorer.exe dcrat C:\Bridgeserverintocommon\intobroker.exe dcrat behavioral4/memory/432-41-0x0000000000850000-0x0000000000BB8000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Neverlose.cc Crack.exeexplorer.exeWScript.exeintobroker.exeintobroker.exebackgroundTaskHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Neverlose.cc Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation intobroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation intobroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe -
Executes dropped EXE 35 IoCs
Processes:
explorer.exeAimStar.exeintobroker.exeintobroker.exebackgroundTaskHost.exedwm.execonhost.exeSystem.exebackgroundTaskHost.exeSppExtComObj.exedwm.execonhost.exeRuntimeBroker.exeSystem.exebackgroundTaskHost.exeIdle.exedwm.execonhost.exeSppExtComObj.exeSystem.exebackgroundTaskHost.exedwm.execonhost.exeRuntimeBroker.exeSystem.exeSppExtComObj.exebackgroundTaskHost.exeIdle.exedwm.execonhost.exeSystem.exedwm.execonhost.exeRuntimeBroker.exebackgroundTaskHost.exepid process 4556 explorer.exe 876 AimStar.exe 432 intobroker.exe 4848 intobroker.exe 3556 backgroundTaskHost.exe 5104 dwm.exe 2808 conhost.exe 1620 System.exe 2172 backgroundTaskHost.exe 4880 SppExtComObj.exe 3192 dwm.exe 4680 conhost.exe 4536 RuntimeBroker.exe 2928 System.exe 668 backgroundTaskHost.exe 4612 Idle.exe 2168 dwm.exe 1576 conhost.exe 5064 SppExtComObj.exe 3520 System.exe 3552 backgroundTaskHost.exe 3692 dwm.exe 748 conhost.exe 4088 RuntimeBroker.exe 2604 System.exe 1512 SppExtComObj.exe 1588 backgroundTaskHost.exe 1468 Idle.exe 2088 dwm.exe 1524 conhost.exe 1780 System.exe 2332 dwm.exe 4432 conhost.exe 1992 RuntimeBroker.exe 1736 backgroundTaskHost.exe -
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
intobroker.exeintobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Bridgeserverintocommon\\conhost.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Bridgeserverintocommon\\Idle.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Bridgeserverintocommon\\Idle.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\Desktop\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Bridgeserverintocommon\\SppExtComObj.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Application Data\\RuntimeBroker.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Bridgeserverintocommon\\conhost.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\ModemLogs\\dwm.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\da-DK\\backgroundTaskHost.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\Desktop\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\System.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\ModemLogs\\dwm.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Bridgeserverintocommon\\SppExtComObj.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\da-DK\\backgroundTaskHost.exe\"" intobroker.exe -
Processes:
backgroundTaskHost.exeintobroker.exeintobroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe -
Drops file in System32 directory 3 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Windows\System32\da-DK\eddb19405b7ce1 intobroker.exe File created C:\Windows\System32\da-DK\backgroundTaskHost.exe intobroker.exe File opened for modification C:\Windows\System32\da-DK\backgroundTaskHost.exe intobroker.exe -
Drops file in Program Files directory 2 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\088424020bedd6 intobroker.exe File created C:\Program Files\Reference Assemblies\Microsoft\conhost.exe intobroker.exe -
Drops file in Windows directory 2 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Windows\ModemLogs\6cb0b6c459d5d3 intobroker.exe File created C:\Windows\ModemLogs\dwm.exe intobroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5096 schtasks.exe 4608 schtasks.exe 3568 schtasks.exe 5028 schtasks.exe 4672 schtasks.exe 4636 schtasks.exe 3344 schtasks.exe 3432 schtasks.exe 4376 schtasks.exe 2928 schtasks.exe 4352 schtasks.exe 5072 schtasks.exe 2328 schtasks.exe 3636 schtasks.exe 5012 schtasks.exe 2644 schtasks.exe 4256 schtasks.exe 2368 schtasks.exe 4412 schtasks.exe 4140 schtasks.exe 1112 schtasks.exe 4640 schtasks.exe 5076 schtasks.exe 4920 schtasks.exe 2932 schtasks.exe 1332 schtasks.exe 3512 schtasks.exe -
Modifies registry class 4 IoCs
Processes:
explorer.exeintobroker.exeintobroker.exebackgroundTaskHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings intobroker.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings intobroker.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings backgroundTaskHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
intobroker.exeintobroker.exebackgroundTaskHost.exepid process 432 intobroker.exe 432 intobroker.exe 432 intobroker.exe 432 intobroker.exe 432 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 4848 intobroker.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe 3556 backgroundTaskHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
backgroundTaskHost.exepid process 3556 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
intobroker.exeintobroker.exebackgroundTaskHost.exevssvc.exedwm.execonhost.exeSystem.exebackgroundTaskHost.exeSppExtComObj.exedwm.execonhost.exeRuntimeBroker.exeSystem.exebackgroundTaskHost.exeIdle.exedwm.execonhost.exeSppExtComObj.exeSystem.exebackgroundTaskHost.exedwm.execonhost.exeRuntimeBroker.exeSystem.exeSppExtComObj.exeIdle.exebackgroundTaskHost.exedwm.execonhost.exeSystem.exedwm.execonhost.exeRuntimeBroker.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 432 intobroker.exe Token: SeDebugPrivilege 4848 intobroker.exe Token: SeDebugPrivilege 3556 backgroundTaskHost.exe Token: SeBackupPrivilege 2168 vssvc.exe Token: SeRestorePrivilege 2168 vssvc.exe Token: SeAuditPrivilege 2168 vssvc.exe Token: SeDebugPrivilege 5104 dwm.exe Token: SeDebugPrivilege 2808 conhost.exe Token: SeDebugPrivilege 1620 System.exe Token: SeDebugPrivilege 2172 backgroundTaskHost.exe Token: SeDebugPrivilege 4880 SppExtComObj.exe Token: SeDebugPrivilege 3192 dwm.exe Token: SeDebugPrivilege 4680 conhost.exe Token: SeDebugPrivilege 4536 RuntimeBroker.exe Token: SeDebugPrivilege 2928 System.exe Token: SeDebugPrivilege 668 backgroundTaskHost.exe Token: SeDebugPrivilege 4612 Idle.exe Token: SeDebugPrivilege 2168 dwm.exe Token: SeDebugPrivilege 1576 conhost.exe Token: SeDebugPrivilege 5064 SppExtComObj.exe Token: SeDebugPrivilege 3520 System.exe Token: SeDebugPrivilege 3552 backgroundTaskHost.exe Token: SeDebugPrivilege 3692 dwm.exe Token: SeDebugPrivilege 748 conhost.exe Token: SeDebugPrivilege 4088 RuntimeBroker.exe Token: SeDebugPrivilege 2604 System.exe Token: SeDebugPrivilege 1512 SppExtComObj.exe Token: SeDebugPrivilege 1468 Idle.exe Token: SeDebugPrivilege 1588 backgroundTaskHost.exe Token: SeDebugPrivilege 2088 dwm.exe Token: SeDebugPrivilege 1524 conhost.exe Token: SeDebugPrivilege 1780 System.exe Token: SeDebugPrivilege 2332 dwm.exe Token: SeDebugPrivilege 4432 conhost.exe Token: SeDebugPrivilege 1992 RuntimeBroker.exe Token: SeDebugPrivilege 1736 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
Neverlose.cc Crack.exeexplorer.exeWScript.execmd.exeintobroker.execmd.exeintobroker.execmd.exebackgroundTaskHost.exedescription pid process target process PID 2236 wrote to memory of 4556 2236 Neverlose.cc Crack.exe explorer.exe PID 2236 wrote to memory of 4556 2236 Neverlose.cc Crack.exe explorer.exe PID 2236 wrote to memory of 4556 2236 Neverlose.cc Crack.exe explorer.exe PID 2236 wrote to memory of 876 2236 Neverlose.cc Crack.exe AimStar.exe PID 2236 wrote to memory of 876 2236 Neverlose.cc Crack.exe AimStar.exe PID 4556 wrote to memory of 1440 4556 explorer.exe WScript.exe PID 4556 wrote to memory of 1440 4556 explorer.exe WScript.exe PID 4556 wrote to memory of 1440 4556 explorer.exe WScript.exe PID 4556 wrote to memory of 4828 4556 explorer.exe WScript.exe PID 4556 wrote to memory of 4828 4556 explorer.exe WScript.exe PID 4556 wrote to memory of 4828 4556 explorer.exe WScript.exe PID 1440 wrote to memory of 1060 1440 WScript.exe cmd.exe PID 1440 wrote to memory of 1060 1440 WScript.exe cmd.exe PID 1440 wrote to memory of 1060 1440 WScript.exe cmd.exe PID 1060 wrote to memory of 432 1060 cmd.exe intobroker.exe PID 1060 wrote to memory of 432 1060 cmd.exe intobroker.exe PID 432 wrote to memory of 1468 432 intobroker.exe cmd.exe PID 432 wrote to memory of 1468 432 intobroker.exe cmd.exe PID 1468 wrote to memory of 3340 1468 cmd.exe w32tm.exe PID 1468 wrote to memory of 3340 1468 cmd.exe w32tm.exe PID 1468 wrote to memory of 4848 1468 cmd.exe intobroker.exe PID 1468 wrote to memory of 4848 1468 cmd.exe intobroker.exe PID 4848 wrote to memory of 1092 4848 intobroker.exe cmd.exe PID 4848 wrote to memory of 1092 4848 intobroker.exe cmd.exe PID 1092 wrote to memory of 1184 1092 cmd.exe w32tm.exe PID 1092 wrote to memory of 1184 1092 cmd.exe w32tm.exe PID 1092 wrote to memory of 3556 1092 cmd.exe backgroundTaskHost.exe PID 1092 wrote to memory of 3556 1092 cmd.exe backgroundTaskHost.exe PID 3556 wrote to memory of 3960 3556 backgroundTaskHost.exe WScript.exe PID 3556 wrote to memory of 3960 3556 backgroundTaskHost.exe WScript.exe PID 3556 wrote to memory of 2072 3556 backgroundTaskHost.exe WScript.exe PID 3556 wrote to memory of 2072 3556 backgroundTaskHost.exe WScript.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
intobroker.exeintobroker.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mj5zqX0DBV.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"7⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zBrD1It2YK.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\Windows\System32\da-DK\backgroundTaskHost.exe"C:\Windows\System32\da-DK\backgroundTaskHost.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7161dccd-1f6f-4b5b-97f5-0a1fdc34385a.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c020a861-53e9-4463-bf77-94340fe05f9a.vbs"10⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exe"C:\Users\Admin\AppData\Local\Temp\AimStar.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Bridgeserverintocommon\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Bridgeserverintocommon\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Bridgeserverintocommon\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Bridgeserverintocommon\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Bridgeserverintocommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Bridgeserverintocommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\da-DK\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\da-DK\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\da-DK\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Bridgeserverintocommon\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Bridgeserverintocommon\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Bridgeserverintocommon\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\ModemLogs\dwm.exeC:\Windows\ModemLogs\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\All Users\System.exe"C:\Users\All Users\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\da-DK\backgroundTaskHost.exeC:\Windows\System32\da-DK\backgroundTaskHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Bridgeserverintocommon\SppExtComObj.exeC:\Bridgeserverintocommon\SppExtComObj.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ModemLogs\dwm.exeC:\Windows\ModemLogs\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Application Data\RuntimeBroker.exe"C:\Users\Admin\Application Data\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\All Users\System.exe"C:\Users\All Users\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\da-DK\backgroundTaskHost.exeC:\Windows\System32\da-DK\backgroundTaskHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Bridgeserverintocommon\Idle.exeC:\Bridgeserverintocommon\Idle.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ModemLogs\dwm.exeC:\Windows\ModemLogs\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Bridgeserverintocommon\SppExtComObj.exeC:\Bridgeserverintocommon\SppExtComObj.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\All Users\System.exe"C:\Users\All Users\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\da-DK\backgroundTaskHost.exeC:\Windows\System32\da-DK\backgroundTaskHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ModemLogs\dwm.exeC:\Windows\ModemLogs\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Application Data\RuntimeBroker.exe"C:\Users\Admin\Application Data\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\All Users\System.exe"C:\Users\All Users\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Bridgeserverintocommon\SppExtComObj.exeC:\Bridgeserverintocommon\SppExtComObj.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\da-DK\backgroundTaskHost.exeC:\Windows\System32\da-DK\backgroundTaskHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Bridgeserverintocommon\Idle.exeC:\Bridgeserverintocommon\Idle.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ModemLogs\dwm.exeC:\Windows\ModemLogs\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\All Users\System.exe"C:\Users\All Users\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ModemLogs\dwm.exeC:\Windows\ModemLogs\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"C:\Program Files\Reference Assemblies\Microsoft\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Application Data\RuntimeBroker.exe"C:\Users\Admin\Application Data\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\da-DK\backgroundTaskHost.exeC:\Windows\System32\da-DK\backgroundTaskHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.batFilesize
42B
MD59005984f23c241ae6504691edad99db9
SHA150ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff
-
C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbeFilesize
227B
MD58ad651de9eab5382f5aeb6e0a38e22bc
SHA1c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA5126fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a
-
C:\Bridgeserverintocommon\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Bridgeserverintocommon\intobroker.exeFilesize
3.4MB
MD534f09d31d624cddea4794d6b60fb342a
SHA121dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\intobroker.exe.logFilesize
1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
C:\Users\Admin\AppData\Local\Temp\7161dccd-1f6f-4b5b-97f5-0a1fdc34385a.vbsFilesize
724B
MD54084dc842f74de51618174376f2d26dc
SHA1aa15861dae0e21e8b560c20da1a14e5d93bbce81
SHA2569dff374e43441c3228315c54306fc3fb8ff3e9d0bf5c87725c2a5441158c82f2
SHA51219a48a1bd19ea220d341ff2a90d8c7398fb91133d8cea762f31ea47d843b93b4080234fc528479a1c987479bbec2b8ee8b37da8cf4897741124cb26a3a02a4f5
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exeFilesize
2.2MB
MD561f4153bfff66366181c4102763763b6
SHA169e7786d66e718426321e2db61a6bafb3129b6a9
SHA256e785f907b24d5397d7dc19386dd8fcceb442395b67c023ab43f8aa9b0346c199
SHA512e98b2d49cd3e189e37670b937954e46b3c8f002dffb4bfcc764d8145acdd6b33042d408b05883cd8f3678382bb02ba58fc84e10273778307630c8ec49c24d4bb
-
C:\Users\Admin\AppData\Local\Temp\c020a861-53e9-4463-bf77-94340fe05f9a.vbsFilesize
500B
MD56bbe0380e14e4b0e1670ea21fd2dea65
SHA1e6d17e7b72e2b8d839c82ec7052c5e478e3a9e33
SHA256922c3110d2bfb919cff38076c1b042ae9e0229b140d518d73e8a801d25cd087e
SHA512be0e87047b7f57a7bfd139dd2f9e1e4c2265d4d8dec3189682a93b841a299285352970cfb91b760d05f2162d81ab4d6e5ce3501253eace89868af31d0201a76f
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
3.7MB
MD53aff466445051bd93a7ea3ae519587ef
SHA1516c1e9da912f6d988146fb812d88bdc7b30588a
SHA25647f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
SHA5123870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
C:\Users\Admin\AppData\Local\Temp\mj5zqX0DBV.batFilesize
205B
MD56e164381f84a1ab854ac38fdf8d55567
SHA19c3138e897859e9aeeec4895b1feced47bf8eb36
SHA256a8f35b8ab797eb07820222a0aa53cbd6f263bbe5f43ccb2e829d431377886581
SHA51216ad62d8483cf6da1d7c013d1053305f23b979c2b4627ff35d020742013f4285e77863fca9dc2af80cb278595fb652506884b38a1233665bec396fc73bf4ff2d
-
C:\Users\Admin\AppData\Local\Temp\zBrD1It2YK.batFilesize
213B
MD528f368bebfca5a1b8189540d7e4f4345
SHA142500338d47c049e82a4917f072a9adbde9db3f4
SHA25615ebef72c189a483f4fb5a68ea64e5041e868c26e42f9893b69eb018d60274e8
SHA512efd179dc75ca78bf61c67e160abca3d9f0a7368d08130706d4c70b2b5bd4c4e2a3701e3acf2a04272a360e4ac07b1d62c6e7cc5149621e6845d9ccf904e0205f
-
memory/432-65-0x000000001C0E0000-0x000000001C0EC000-memory.dmpFilesize
48KB
-
memory/432-73-0x000000001C370000-0x000000001C378000-memory.dmpFilesize
32KB
-
memory/432-46-0x000000001B880000-0x000000001B8D0000-memory.dmpFilesize
320KB
-
memory/432-52-0x000000001B8D0000-0x000000001B8DC000-memory.dmpFilesize
48KB
-
memory/432-51-0x0000000002E80000-0x0000000002E92000-memory.dmpFilesize
72KB
-
memory/432-50-0x0000000002E60000-0x0000000002E6C000-memory.dmpFilesize
48KB
-
memory/432-54-0x000000001C0F0000-0x000000001C100000-memory.dmpFilesize
64KB
-
memory/432-55-0x000000001BFF0000-0x000000001BFFA000-memory.dmpFilesize
40KB
-
memory/432-53-0x0000000002E90000-0x0000000002E98000-memory.dmpFilesize
32KB
-
memory/432-49-0x0000000002E40000-0x0000000002E56000-memory.dmpFilesize
88KB
-
memory/432-57-0x000000001C050000-0x000000001C05C000-memory.dmpFilesize
48KB
-
memory/432-56-0x000000001C000000-0x000000001C056000-memory.dmpFilesize
344KB
-
memory/432-61-0x000000001C090000-0x000000001C0A2000-memory.dmpFilesize
72KB
-
memory/432-62-0x000000001C630000-0x000000001CB58000-memory.dmpFilesize
5.2MB
-
memory/432-48-0x0000000002E30000-0x0000000002E40000-memory.dmpFilesize
64KB
-
memory/432-64-0x000000001C0D0000-0x000000001C0D8000-memory.dmpFilesize
32KB
-
memory/432-66-0x000000001C100000-0x000000001C10C000-memory.dmpFilesize
48KB
-
memory/432-68-0x000000001C220000-0x000000001C22C000-memory.dmpFilesize
48KB
-
memory/432-76-0x000000001C3A0000-0x000000001C3AA000-memory.dmpFilesize
40KB
-
memory/432-75-0x000000001C390000-0x000000001C398000-memory.dmpFilesize
32KB
-
memory/432-74-0x000000001C380000-0x000000001C38C000-memory.dmpFilesize
48KB
-
memory/432-47-0x0000000002E20000-0x0000000002E28000-memory.dmpFilesize
32KB
-
memory/432-72-0x000000001C360000-0x000000001C36E000-memory.dmpFilesize
56KB
-
memory/432-71-0x000000001C350000-0x000000001C358000-memory.dmpFilesize
32KB
-
memory/432-70-0x000000001C340000-0x000000001C34E000-memory.dmpFilesize
56KB
-
memory/432-69-0x000000001C230000-0x000000001C23A000-memory.dmpFilesize
40KB
-
memory/432-67-0x000000001C210000-0x000000001C218000-memory.dmpFilesize
32KB
-
memory/432-63-0x000000001C0C0000-0x000000001C0CC000-memory.dmpFilesize
48KB
-
memory/432-60-0x000000001C080000-0x000000001C088000-memory.dmpFilesize
32KB
-
memory/432-59-0x000000001C070000-0x000000001C07C000-memory.dmpFilesize
48KB
-
memory/432-58-0x000000001C060000-0x000000001C068000-memory.dmpFilesize
32KB
-
memory/432-44-0x0000000001540000-0x0000000001548000-memory.dmpFilesize
32KB
-
memory/432-45-0x0000000002E00000-0x0000000002E1C000-memory.dmpFilesize
112KB
-
memory/432-41-0x0000000000850000-0x0000000000BB8000-memory.dmpFilesize
3.4MB
-
memory/432-42-0x0000000001520000-0x000000000152E000-memory.dmpFilesize
56KB
-
memory/432-43-0x0000000001530000-0x000000000153E000-memory.dmpFilesize
56KB
-
memory/2236-23-0x00007FFA96F40000-0x00007FFA97A01000-memory.dmpFilesize
10.8MB
-
memory/2236-2-0x000000001B7C0000-0x000000001B7D0000-memory.dmpFilesize
64KB
-
memory/2236-1-0x00007FFA96F40000-0x00007FFA97A01000-memory.dmpFilesize
10.8MB
-
memory/2236-0-0x0000000000700000-0x0000000000B98000-memory.dmpFilesize
4.6MB
-
memory/3556-112-0x000000001B4E0000-0x000000001B4F2000-memory.dmpFilesize
72KB
-
memory/3556-122-0x000000001DCF0000-0x000000001DEB2000-memory.dmpFilesize
1.8MB
-
memory/4848-99-0x000000001B2B0000-0x000000001B2C2000-memory.dmpFilesize
72KB