Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
30-04-2024 20:33
General
-
Target
Neverlose.cc Crack.exe
-
Size
4.6MB
-
MD5
cb2be30171f2abcd864d4afbce7cbf4a
-
SHA1
9b9328b84ca32f6026430b98390e718d971c82ed
-
SHA256
de7598261915dd8568f29b70b0a122daf90a086bb2a4d976474f4873b55949bc
-
SHA512
935fca6c2e7de61a257bb225097308dc243f4cfd470ac70a80ab319c4af0ae5dbcd893fdd3d3558bcebbf7fb129cc96dfdf054b649d44c6be15f5267be73710c
-
SSDEEP
98304:l2wqFuVDp+YL9l5LPDj2VWnPt1Igxrgjc0iXs/oMoaq9l44R0:0wuudpZL9l5LPkw11InWp47
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 64 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L0XaTsj2YO.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d888000a-f067-4dae-97b2-bdd7dc3116ec.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5259f394-9c3b-4a35-b9ba-47aba974bf69.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe11⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1832da-5f78-44ae-ac58-ab65415efb68.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe13⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12e7d9e5-f22d-4585-b3f0-d210976fdd73.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25411de5-3532-463c-ad6a-08a34584af6c.vbs"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe17⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7926de01-fc77-40c6-8560-d0602de73fd7.vbs"18⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce88bea-3f0d-44ea-9f20-ba7cecbcf361.vbs"20⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c619c2b5-87db-4315-a48e-ee99d2865150.vbs"22⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe23⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e53f6212-924f-42d3-89e6-d49cbd7339b0.vbs"24⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe25⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffa5c4ed-8f80-4922-8b03-4dd6b6c62c0c.vbs"26⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e531bb5-f608-48a3-895a-e56a4cd085e4.vbs"28⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01bba978-0e5d-4998-b927-bfd56e4cb24f.vbs"30⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\649a2fbf-16fe-43c2-a7e1-bb968f5ebde0.vbs"32⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe33⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6b0b24-5ab2-478e-86d4-9d28a80cc935.vbs"34⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe35⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb088a59-18ca-4b83-9479-4b1ccc10fec1.vbs"36⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54276e7b-3bcd-4262-9771-a34a103a1a5f.vbs"38⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe39⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6d20dd-79bc-4c64-8c58-cfe904260f6e.vbs"40⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe41⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe19d7b2-14ac-4afa-ac65-bf0071fef492.vbs"42⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe43⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5df5a642-4175-4f0c-9db2-11a3b25d8d34.vbs"44⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe45⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12c31c26-d0d3-4bd5-aedd-d9b2f7475c3c.vbs"46⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe47⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afb9356e-8686-40d2-994e-d240c45c4b97.vbs"48⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe49⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\270957f0-f4e2-4186-ae55-76456699de04.vbs"50⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe51⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30fd5d81-94a2-480e-ac8f-91b6d23f6d4b.vbs"52⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe53⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b4603ae-164f-46a8-8100-8ec8138677d1.vbs"54⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe55⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec43b257-d12d-4663-9f20-daef8dce8772.vbs"56⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe57⤵
- Executes dropped EXE
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\832a5fab-7e87-4c4c-a85c-8cec4eefb547.vbs"58⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f1b114-a66f-4cc2-b840-402359de0605.vbs"60⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe61⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02cb0ea2-340a-4c34-a177-08e1d730e305.vbs"62⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe63⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5724fd4-a8a1-4923-a832-848846134492.vbs"64⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe65⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e5da6e8-7679-420d-b89d-e2058cb2cb03.vbs"66⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe67⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d51871b7-411e-402b-bbf8-796ffce543b9.vbs"68⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe69⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681e1dbe-2a08-4cbf-9966-74e1f589778e.vbs"70⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe71⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df4ee476-ce39-49f4-997b-fdce994b8550.vbs"72⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe73⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\349eb97b-4942-4d78-a903-23b7db8c11de.vbs"74⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe75⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b82576e-f2a1-44e4-b834-6de58c88dff9.vbs"76⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe77⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccbd8eaf-d4d9-45a2-96f0-a1c2e3b270c7.vbs"78⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe79⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5041be5f-9bff-4245-9628-dbc8893a6c15.vbs"80⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe81⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c93c81a3-55ec-4445-b9a7-474f82d762b1.vbs"82⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe83⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d7ecac-434c-48bd-be9f-8d0ff0b897ab.vbs"84⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe85⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da7720d2-9477-4422-a0e4-eaba6b669ed1.vbs"86⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe87⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40e1094c-d41f-4b61-8976-f4207e9eced0.vbs"88⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe89⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f61b3e-c6c6-44fd-90df-dfdbcd13ed07.vbs"90⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe91⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b69f64-ec95-4aef-9824-c1be3da034f4.vbs"92⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe93⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f978f59f-8817-495d-b2cb-bbb0f32f69de.vbs"94⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe95⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c293c5a-d4be-4368-b98f-ba2c948946c0.vbs"96⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe97⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bcefffb-ce98-495d-b45c-a642c3a7f67a.vbs"98⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe99⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0b293a7-22df-4dba-bddd-f5e33db79033.vbs"98⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8e32291-5e2c-4e4e-9bcb-75345082b1a8.vbs"96⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\170272fa-a057-4fd3-8077-c237695b1e6c.vbs"94⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4658c4f8-4982-4688-a72e-82904fd8d749.vbs"92⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd5dabb-386b-4288-945b-51c804beb05b.vbs"90⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186cff3d-cfbb-4062-8b3a-fcb880adb85d.vbs"88⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8898f6b1-3f6e-4c2d-9017-748d1205acfc.vbs"86⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369f09a9-6db4-403f-b3ab-64e2f06a59ef.vbs"84⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aea6369-efc5-49b7-80ad-c1fc805e3d93.vbs"82⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e89bdcc-6eb5-4414-bdd0-63af8475fdee.vbs"80⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211cf535-197a-4b98-abe1-a1401aabf3d8.vbs"78⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19059ba9-3d8c-4e94-8539-ed8e9de782e7.vbs"76⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20e0c6c3-9885-4413-9f7b-e9fec4c602b7.vbs"74⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d1f8c50-2a53-4a10-8668-cd3f47af3069.vbs"72⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7537fd3e-16b6-40fe-abc9-4a79f8bf89dd.vbs"70⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efd83378-391d-4040-b419-9ec96ea3b218.vbs"68⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d797986e-bcfd-46f6-b023-656a82bba707.vbs"66⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c9ee8aa-a39a-44c7-bdf8-4a8b3ca1636a.vbs"64⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd88e66a-5e37-4bfa-882d-743ec21e5ce5.vbs"62⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c65b4ea5-ccd1-423b-9176-152af3461609.vbs"60⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\513ecfb9-6ab0-407e-bb24-327ec7e898cf.vbs"58⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\597854ca-cb08-47a6-8c5e-b1f270e442c5.vbs"56⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2959693-7327-4c87-96fd-faa598c02ead.vbs"54⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e794be-0043-4870-9627-64116ba718f5.vbs"52⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04564da6-a904-4fc4-a806-ecab25aaa499.vbs"50⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5845cda7-d2b2-4efe-a936-c6182a381005.vbs"48⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13a684f2-f18b-4b21-b677-a459286f1711.vbs"46⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afbd9d83-ac24-46ad-9008-c502b58e9966.vbs"44⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b834b2e5-9497-44ac-bed4-a8ff3f4f655e.vbs"42⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d09523b8-c0d8-4cd4-9b75-010e62e1592a.vbs"40⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01fd46ee-5419-4cf8-b1bd-ee0eb704f9b5.vbs"38⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef1407c8-be19-43c5-ae67-1b70ebd002c5.vbs"36⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec516f9-4f60-4a29-a571-197bbbe9d64e.vbs"34⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17678ea4-3b21-4977-9e07-d9ab5928c373.vbs"32⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fdd1bc4-c701-49d8-b622-c26f3b5c606d.vbs"30⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6632acc1-9716-46e9-b5f1-ab8f624107b1.vbs"28⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bdd53f5-c581-4257-bbdf-73ed3baa52a5.vbs"26⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9f3b98-d96b-447e-9da7-e47507eefe64.vbs"24⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d77f3671-3541-4e7d-90e5-ffac6d433d73.vbs"22⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a4ba7ad-53ce-40c3-9fb4-b4ded6a51ea1.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ff04a7-0eda-4167-9426-9601772a4dda.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6465819-8255-4935-9d54-43d48cbad355.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2a3ab0-c708-4d28-9d8b-54e5a149eb27.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bd5a9a-b1e2-4d74-bb00-4c3d4386a935.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbf4545c-23ff-4b68-b7fe-fa182efaf82f.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca423b83-c3e1-47a5-9ecf-8576ee80486c.vbs"8⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exe"C:\Users\Admin\AppData\Local\Temp\AimStar.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1a3e49b-99d8-41c6-9844-8168ee4c80c8.vbs"2⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63b8c705-0150-49e3-bfe6-bf6e1ba7104c.vbs"4⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68213cb3-20e0-4b1b-a9e2-08a29ab381e3.vbs"6⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e29a040b-dca1-4cc9-a376-4a9359ebd9b4.vbs"8⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c311fd1-20ea-40f9-b341-35c154b5183a.vbs"10⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76066860-98e7-4238-b511-3ef95bdb2bb0.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46acc47a-94ed-415f-ba68-99ebeec3a26b.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9441b50c-2a90-4e96-8def-868bc20bdca3.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ef5ad8-3ae2-46ed-a311-03d071421781.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c8dce4b-ba35-4466-87aa-3f52886c7950.vbs"2⤵
-
C:\Program Files (x86)\Internet Explorer\lsass.exe"C:\Program Files (x86)\Internet Explorer\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec4e633b-18c6-451a-9bd3-55631c62c3ed.vbs"2⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153226de-fe37-4799-afac-17cb0c211ccc.vbs"4⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25568f01-f1fc-4055-ad9b-db7e41d93a0f.vbs"6⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe7⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b180c5-3a12-45d5-a0e3-af0dc35a60c1.vbs"8⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82d3d8f6-5d33-4620-bed7-7d5a65ffa390.vbs"10⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33da8c1c-693f-47ee-a1ad-1350747d40bc.vbs"12⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe13⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d1a5bff-4b43-431b-9678-33541abbfd44.vbs"14⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe15⤵
- UAC bypass
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31fd4017-79d6-42a7-bb0c-2fba78a82141.vbs"16⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe17⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f81cc6-e097-478d-87e6-fe0205c23bf7.vbs"18⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe19⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bff00d95-37b5-40d3-8e92-27061b077dff.vbs"20⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe21⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\034bbc51-4e9c-4fa4-a782-6d2c3318429b.vbs"22⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe23⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5e65b52-b5a1-4b2c-a44d-c61d34948806.vbs"24⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe25⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8261d6d-a881-4106-999d-7b020e63b240.vbs"26⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe27⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3544bf7a-0d64-4a7a-9d1d-cac294c1b8db.vbs"28⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe29⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e954887-ce64-487a-bf93-0930655f8005.vbs"30⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe31⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb0b63b7-8085-4768-8401-43997e37f922.vbs"32⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe33⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\469b7ee9-0b4d-4fd6-a36b-fa9c8d5b4488.vbs"34⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe35⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c89ff13-7957-4a50-b21a-819d505e12ac.vbs"36⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe37⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f20f556c-76f4-49d7-a65e-ea2f20ae3303.vbs"38⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe39⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da6e77c-0b51-4be9-b61d-3d4632e1c6b1.vbs"40⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe41⤵
- UAC bypass
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92325426-0ea4-411e-9281-c77c313f42d3.vbs"42⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe43⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\068f63a6-ef01-4892-a34d-e048586663f6.vbs"44⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe45⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\829f2a36-b37b-486b-8d98-e2720080cf6c.vbs"46⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe47⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3036b40a-d9a5-4ece-9bd1-2775a97cee92.vbs"48⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe49⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2c49afb-731e-4813-a6f5-9a6ea8d91be6.vbs"50⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe51⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61c98f55-7d1f-4aca-9a9c-37864c9a75db.vbs"52⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe53⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5dffb53-0f5b-4e3b-a0de-9a6dd3b80877.vbs"54⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe55⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6202f4eb-b825-4cf1-8c33-047d5f5bf35a.vbs"56⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe57⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b359d9c4-6919-42d3-8a10-7ba7b157b2bd.vbs"58⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe59⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f27820d-55d2-416e-9cd1-ff38ccde898e.vbs"60⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe61⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6143548a-6c73-4652-9476-fc52f7bcc904.vbs"62⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe63⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53ac8b47-2e6b-437c-9258-72db5a348de7.vbs"64⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe65⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ec6dbf8-60ba-402a-92e5-ac5bce43da10.vbs"66⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe67⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5bc574c-a0c3-4551-92ca-688096c04c2d.vbs"68⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe69⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fabb4113-72d8-4a75-bb78-a18d0158689a.vbs"70⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe71⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22897489-69ab-4be8-8ed0-55c1a4da515c.vbs"72⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe73⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b77f4143-2c3b-4c8d-b36f-1af892384d16.vbs"74⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe75⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e330a647-0ac8-41f5-af89-bd241dc07be7.vbs"76⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe77⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b51084-9b28-4820-8550-91688466a62a.vbs"76⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e367c2e3-333b-42aa-909d-5892fa8111e4.vbs"74⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9deca9da-66fe-4883-9063-4d285942e38c.vbs"72⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe011e2e-da2d-4e9f-8fec-5729372f500b.vbs"70⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc64519f-2856-4ec6-88ea-03ed8116775a.vbs"68⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ea0f09f-1579-4eae-ba10-510bc914d297.vbs"66⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\134c3d35-0e7a-46a4-a0e8-5033eb4fa3b1.vbs"64⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d7fe6f0-c95b-4118-a080-5aec4189ff6f.vbs"62⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d775d89-6a0b-461a-8db1-8341ac4b583e.vbs"60⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\012d7929-2085-46b4-8dc3-c5aa2ad90fc0.vbs"58⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb759537-c712-4929-bc0c-b11f46197a2c.vbs"56⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eec362c-5eb9-4ff6-9f4d-93e8259f2097.vbs"54⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c587acf-e7b4-4b5f-beaf-a7bae2daa5e2.vbs"52⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9379184-f8cc-444b-a3e2-2496e625067f.vbs"50⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3996ce-0f05-4282-851f-4dc3ef58d75a.vbs"48⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\479743dd-faff-45ce-982b-c35af8095f69.vbs"46⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ed030c1-18e3-4620-915f-ff2827fa6c4e.vbs"44⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a3c7e5a-689a-469f-ad43-731390d8ed8d.vbs"42⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa3f973-fe84-49ac-830f-8ab83c71886a.vbs"40⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85de1a5d-6c60-4d22-9b52-f335fba1be6c.vbs"38⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d460f1fd-ea64-4a7d-a124-6d08b0b98cd9.vbs"36⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198f6cda-020f-4734-9b24-2e4d37a6d015.vbs"34⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164dd677-9ff3-4c05-9d11-00cd6669f228.vbs"32⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c01e0315-d58b-476e-96cc-04a8d946ef0b.vbs"30⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b59fc9b9-9c61-42ab-849c-010827b627aa.vbs"28⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c970facf-fb9f-482d-9843-2f908b5994e8.vbs"26⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f1f1b3a-fd7b-47a0-aeb1-3230bbf46ed2.vbs"24⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1f67c8-21d2-465d-82c9-235633a29dcf.vbs"22⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39bb080f-ee28-44e1-9c63-40190883cb0d.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32c4029b-be60-4e85-a9e1-6399739cce61.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e869c26b-2a3d-4b5f-b692-8eea7b3b59a4.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82715258-70d6-464b-aa2c-c6ae07e1e0a1.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6906cf81-a701-4d70-9932-07be1e6bd443.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56e609f7-697a-4806-a4cf-b13d7dd41432.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65ed9e42-aceb-4e11-910e-209670f47446.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf1bf04-a23c-4044-8ae3-6f346b4a736e.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec8bf9c2-cfa5-4880-94ee-6d4f296d36f1.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84d58a2a-eb22-468e-a923-3cb0cb692985.vbs"2⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe1⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\671544be-9732-4edc-a0e3-b75500a0ad76.vbs"2⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe3⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e94dea9-8ad0-4290-8d8a-d5f44e4eaacb.vbs"4⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe5⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c1003de-2ca6-442c-836f-305c9b3acbda.vbs"6⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe7⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38014573-4050-47ba-9a20-f39bd3f917c2.vbs"8⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe9⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7c15fd5-d73d-422f-b082-215a74ded541.vbs"10⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe11⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d3b7397-b66e-4efc-8e50-678ab6de1a35.vbs"12⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe13⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f9e3196-4a1c-40bc-81f9-7640314e7091.vbs"14⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe15⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a68b638-233c-4a47-9770-29624516c166.vbs"16⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe17⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96003001-068f-4680-90ae-561c2826abc4.vbs"18⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe19⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\855a965d-5914-4180-a626-7752de71a64f.vbs"20⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe21⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4058a1-7619-47d7-83d4-d7d5a7cc554a.vbs"22⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe23⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9326086-1cab-4011-bbae-ce139cc8e94b.vbs"24⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe25⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\692f3add-afcc-4082-9897-1486be3515bd.vbs"26⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe27⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21120d2e-5ad1-4c8f-9da5-889f25f354fb.vbs"28⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe29⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebc98cff-d71f-4db1-88e9-8fdc7ed5fee0.vbs"30⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe31⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2ff42ff-76cd-411f-b2ef-ac98e9231447.vbs"32⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe33⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d433f95-6fcd-451d-8851-fa7238603466.vbs"34⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe35⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90d1da0-2ac2-4f0b-acd3-6c30f431e4cf.vbs"36⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe37⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c89f2469-bb84-41b7-adad-e2585d2dc1df.vbs"38⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe39⤵
- UAC bypass
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9440d36-df50-45f3-ac60-78ef3f77a100.vbs"40⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe41⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e352757-5715-40f9-b668-6474f56b7510.vbs"42⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe43⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29127795-cd68-4f00-bdf5-dd4a282f9473.vbs"44⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe45⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faf2321c-a27b-40e4-899b-d32bb5522bc4.vbs"46⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe47⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb2515f-a061-4f8f-822f-398ed5368252.vbs"48⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe49⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da150f43-b3d1-4c8e-8165-b16e6742f9d0.vbs"50⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe51⤵
- UAC bypass
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66cb9863-7080-4e10-93a8-84267a9a691b.vbs"52⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe53⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1948bb02-20c3-4e35-97eb-d847ab2d5c15.vbs"54⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe55⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6879320-4a64-495c-a106-5bfb1dc97c41.vbs"56⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe57⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac7c2e2-453b-43ef-8439-394634cce938.vbs"58⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe59⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d269832-2790-4d4a-aa8c-0b4d0ab88acf.vbs"60⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe61⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94fba9f7-9ce1-4c08-b54d-bea391e473bd.vbs"62⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe63⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b8c154-d620-4b11-8be5-3a39232ecfc9.vbs"64⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe65⤵
- UAC bypass
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45ec3c2f-cbab-42ca-a9a7-92d695e93190.vbs"66⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe67⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd89abdd-5721-45a4-83fa-18692aa1623e.vbs"68⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe69⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5869ee0-55a6-45b2-83ca-4dd0f524eb37.vbs"70⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe71⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f26ccfe-9f7c-4e64-b796-495430291f3c.vbs"72⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe73⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae898ae2-e065-4f36-afdf-8239ade56e3a.vbs"74⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe75⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43d287c5-c420-40bb-a9a2-35b8d948a89d.vbs"76⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe77⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2592b695-80f2-40ff-8b5a-aa59f1e3baa5.vbs"78⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe79⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b74b677-8ea8-45be-8775-9c63fb68a96c.vbs"78⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d2a18eb-d9a4-42b5-9cd9-5c1ace9df20b.vbs"76⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d64ad0cf-f534-436c-80c8-c7e0791a534b.vbs"74⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47c7d5f6-42b1-49e1-aa28-df741bc901a0.vbs"72⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f77a09-f2b4-48b3-b764-078edf3ed4b9.vbs"70⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bed9b5e-e319-421b-b4e2-8c401434d8a4.vbs"68⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2632b152-5311-45ae-9d57-118893298cab.vbs"66⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cca0abd2-fd94-40b0-add5-2befc07ed03b.vbs"64⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea907f92-5fbc-48b9-b131-f57d3849c4c7.vbs"62⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5865c6f5-f160-4548-b6a4-ede9c06557ea.vbs"60⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d8e2af-b459-41ea-9a7c-5fbd0c820b1f.vbs"58⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1031bbc-1578-438f-9c40-0947ba730b33.vbs"56⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5901a94d-716c-46f2-8c5d-356fa6b4fdde.vbs"54⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cb598c1-189f-4525-95ed-bbc971796a8b.vbs"52⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92e7720-bcb7-4a80-aa59-a71dde786e7e.vbs"50⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07da1700-8d0c-44a7-8dae-6ed62fead0e5.vbs"48⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6fe4735-3f0d-46fd-a067-899cfde65d82.vbs"46⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed6a050-b5ac-4e53-a673-52729356fc0e.vbs"44⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0dd4dae-3913-43dc-90f3-b38d4a5a9f36.vbs"42⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7d432c9-477a-4a23-96fa-4e09260d4169.vbs"40⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2741ae44-0bfd-40ff-8d7b-db35d3903a1d.vbs"38⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944c1096-9220-4bf2-9528-bc23efd468cd.vbs"36⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f31a92b0-a8a7-472d-8d71-8db275b551b6.vbs"34⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed229ad-376f-4224-8df6-9e1b80d34731.vbs"32⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6f3566e-6454-476a-b9f6-1a77344e8c7a.vbs"30⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63de7335-0b06-4cae-8d3b-a46d35794d7e.vbs"28⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce26ae1b-2d2c-49df-b0e3-32693de06c1e.vbs"26⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed92687a-a79a-464d-9334-4d2cb62ffd75.vbs"24⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c932af-2d38-41e1-8a97-d496a0ec7705.vbs"22⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c564a0-4579-4273-a08a-0557299b887b.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66638d9f-002c-4cb1-8ef7-cd3c532d0a4f.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d43634ff-faf9-4e4a-ba73-30f19705d1fe.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7830816-0a22-4090-bfc2-c4a253058d31.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2284a41e-5908-46a1-a79e-9d6e835af824.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5984179c-e716-4dee-a1e4-54bb2cc88ad2.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc43f0a-afe7-495e-aa27-a2436b925282.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a15ceab6-0fd7-4886-8b0d-ced2e1438b84.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5e52895-461c-4c15-825a-de9ded2a04ff.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1608ef2f-1168-4a08-ae8d-1cd6348f241c.vbs"2⤵
-
C:\Program Files (x86)\Internet Explorer\lsass.exe"C:\Program Files (x86)\Internet Explorer\lsass.exe"1⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe1⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.batFilesize
42B
MD59005984f23c241ae6504691edad99db9
SHA150ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff
-
C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbeFilesize
227B
MD58ad651de9eab5382f5aeb6e0a38e22bc
SHA1c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA5126fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a
-
C:\Bridgeserverintocommon\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Bridgeserverintocommon\intobroker.exeFilesize
3.4MB
MD534f09d31d624cddea4794d6b60fb342a
SHA121dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.logFilesize
1KB
MD5b058942fe750846925da0c79dbad94ec
SHA1338efbdf7514f23e73dac4e69c6e9b979b0c902f
SHA256de170e04a6f6e8c23b3c293a4c9386ec929f3ab0b79d0051fbe285a894edb559
SHA512bcfa26f2dc24237eefd8070714735a0ebde5a3f83845f31ea412807e98b61f93ea96b6f1166d21e0bcec948483347790b2238151caceadcb0ec353dd877f375e
-
C:\Users\Admin\AppData\Local\Temp\01bba978-0e5d-4998-b927-bfd56e4cb24f.vbsFilesize
709B
MD592c956f071c09915d1cfb9ed5323947b
SHA12a62ad669cdeed7ab7d8e055d5d7ac0455330714
SHA256a6a210ca6c4a7dda997ace1193c7b722abf8cdbabe5a27bb28886e2da243860d
SHA512df2ced8535a7b0827d7e4d3c3e2a7a0c9a5e56ddbcff5633e1f9d4991327ef9aba6aca7338ec152445cce56707b12054233b42b3fca61383f8489e39511e8309
-
C:\Users\Admin\AppData\Local\Temp\12e7d9e5-f22d-4585-b3f0-d210976fdd73.vbsFilesize
708B
MD54f8e53583394c70b0cde7ac37950a4fc
SHA108da27d323b012321038757959eb7f6106da2a60
SHA256aa27d70ad3a976d8d210901cf62fb4ec8147998694d05d4b796baae3adfad917
SHA512bad5964428f411231bf3a1d11969c46743c96b569d31670abfded1b69ad5ee4b39ad8491edbc1dbf6f2c07439aa62cecce49e169c91ca84541358f14ef5acf34
-
C:\Users\Admin\AppData\Local\Temp\25411de5-3532-463c-ad6a-08a34584af6c.vbsFilesize
709B
MD51b63ab46d699c684e6c215e8948de984
SHA149aac00a955632e9009554a82f9f1d9d231d37da
SHA2561a49648debfa6ec0859f8dab5a0fc8bd1d53233359248a7566a7e8e18ad11c50
SHA512c3a4c760201edad9e38dc4415f2273dfa2ac37539cd70eb52fee32eec0448f1889df9ed8d5b8ff5f87b7b67ea67e4cabd05cb21182854f3ebc32dc1ad5a87ef6
-
C:\Users\Admin\AppData\Local\Temp\2f1832da-5f78-44ae-ac58-ab65415efb68.vbsFilesize
709B
MD513ec4414642dc109f6bc823ee98ae05e
SHA19595853147ab7315974bc5a1085a0f349f66b56b
SHA25625a0745dcc50b3e205f8f709cf719fafaf342c00681253fcc00e870ac56d4d14
SHA512b5830a2ff7c5e6f0fcdc07a999b40960c00189512b39100dc960173c87b2f63df1a1b76a2dfbe92ed49c083a2d145bc29684afa6241b8dfd29d3e46c1c5c4cbd
-
C:\Users\Admin\AppData\Local\Temp\45ec3c2f-cbab-42ca-a9a7-92d695e93190.vbsFilesize
709B
MD5ddd7eb746e801fa8a634af91ae464666
SHA189bb99a5eb6ba632083df438ebd4637fdd7cd804
SHA2568e1e18001c7e498db58a3636e9ab54b7d37807a3cccabc35da7761f2fc613a84
SHA5123fa3affaff313934bbaf93e0c42db58f5b2a4450aa8fc0e030d0cdfd8e3d628fc1265425e25566178100e100732fb1542852f2d94ee475fd048e7ce7c3f3b31d
-
C:\Users\Admin\AppData\Local\Temp\4ce88bea-3f0d-44ea-9f20-ba7cecbcf361.vbsFilesize
709B
MD5fd127fcf7511335cc67fd7f6baf6698f
SHA1258e2f779e8a061f38e435f9d7277bb28f6c4053
SHA256decd3dd003df2d90f2a0d2bcb6e47f9c9ff2815def8b675f1a23792e132c4c5a
SHA512da3dc7ce07a7b6a29a25d92cc59f7021f998a411e17d3a634456544b7388f653cbda29e7ca3552a299f1ae9b115433ab374b0396733193ab740ea6571351a86d
-
C:\Users\Admin\AppData\Local\Temp\5259f394-9c3b-4a35-b9ba-47aba974bf69.vbsFilesize
709B
MD52bf0612845f4c628eb567f843b2a1ef3
SHA1b8faab40894a0409a80e2f2de523cf103f0207d2
SHA2562054ede9cdcf9e8efa7c04199c54707f6a496074a299bdf3581fcea1616c50d1
SHA512af4d4468b6db7691e8562bd002fffc9629d2d10f297403aa286aaccb84209fe6f32b5fb6649bc891eefed9e0ad29d8390e665a5fae78d35dec039ec99e23da57
-
C:\Users\Admin\AppData\Local\Temp\5a68b638-233c-4a47-9770-29624516c166.vbsFilesize
708B
MD5f297ed7bd394dccda0e01f4c26191e3c
SHA19bf334af3d6f0b9352280b84c8e7fe8c7efd034d
SHA256289415fcc70d9d478c14833956ac6a852b4e6d5bf5598a9e1d799f5140b34329
SHA51248009f3a8db082ceff225d281eccc54e9a6b84b0d2b6ec3ca3a9beb56c3848a25c60601ba911d11e8376f48b1350684ebb7e3d17cc1f432e1008c15c410635e8
-
C:\Users\Admin\AppData\Local\Temp\649a2fbf-16fe-43c2-a7e1-bb968f5ebde0.vbsFilesize
708B
MD5c0a96b9fedb479d07652c28bbb5af394
SHA1611e2a3fa1eb7440efa9a9e1213d01f0092c57ee
SHA256865bd8e8d585b2b364774ce615c82bbf21174f8eae774c712aba404c3dce2bbd
SHA5126e5aeed8a94e57e14cd40078f6188c27590e703945886262c7acffa70867812a9b5fabf264d3d5eb942dee3960f7fb00e62067f20f909f7cd0dbc043ae4a7c41
-
C:\Users\Admin\AppData\Local\Temp\7926de01-fc77-40c6-8560-d0602de73fd7.vbsFilesize
709B
MD5d01e48ce01ec5bae7230f4749aa36540
SHA1f456038daca845cfb16e30a33f4967adea74f678
SHA25618753e9397d3112772d869351fa4f22414cba3586912eca6fbf4880a6cb41e18
SHA512f4ef5bd87059b35d89e7e65f5bb15c5023ea5fa09672e88dd4fe08e04449094898f2ebbc677943af724fb00790d3760294615f1c419a7a0d3d494dc1fb3d5499
-
C:\Users\Admin\AppData\Local\Temp\7e531bb5-f608-48a3-895a-e56a4cd085e4.vbsFilesize
709B
MD558a449e4586ad6ef712dec5b5d9e234f
SHA12c95220bc0b0fd05ce0e804e0fd168258f819113
SHA2569673f607f746a2ddbd1295a9a5cc199cf71b1e7139c9554caf9ee0912edbd4f7
SHA512c4fa112951c088dc757f10ccf905db37d48547eeaf893aa8e9c0b232e7fd7ed617e8b52de0d4473a1b382360bf5b03fcf6fc02a46c908f3b525192bdd3e5cb55
-
C:\Users\Admin\AppData\Local\Temp\7f27820d-55d2-416e-9cd1-ff38ccde898e.vbsFilesize
715B
MD5b1c397f2afbbe58146c4129960afb041
SHA1cf2479ea0e77373eacd717d930115c0a6cbee4e8
SHA2560ddd63c919df94ae9669b2e69632b50d342af7068ffcfcb08dbabae154055f37
SHA512b0721fd7c24fba7a474359b49f5403f5c78f9640b5bd73a9ee41bd38f8bab60610f5885461f84392f724dce2c4eed26949442db104bca2fb4c2940741b1c9392
-
C:\Users\Admin\AppData\Local\Temp\96003001-068f-4680-90ae-561c2826abc4.vbsFilesize
709B
MD5b8de523162982fb95f3fc7f95e377429
SHA1dd1cffd88333d62ff3d973a215631eee9478bc32
SHA25606caf65f80f6121e143462954364c9d34545ef61bb3cefbc1f053235479d63a8
SHA5129c06a3b7d4c3f3e2d498b2cb7fd41fa8706ecbd444e1a76c8a08ca74e405e8fdabe30a6d8f91486cde8a7065276f363f82b3207ca19b1048770e820068874626
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exeFilesize
2.2MB
MD561f4153bfff66366181c4102763763b6
SHA169e7786d66e718426321e2db61a6bafb3129b6a9
SHA256e785f907b24d5397d7dc19386dd8fcceb442395b67c023ab43f8aa9b0346c199
SHA512e98b2d49cd3e189e37670b937954e46b3c8f002dffb4bfcc764d8145acdd6b33042d408b05883cd8f3678382bb02ba58fc84e10273778307630c8ec49c24d4bb
-
C:\Users\Admin\AppData\Local\Temp\L0XaTsj2YO.batFilesize
198B
MD5da39f87d62b1368a4af5e8698f0149bd
SHA1398bf43e0328f11986bc68fb45b8dcc488deb96e
SHA2562265ab2f539afe65eb32b01086d6a1c904a01639bb5f1121ca016dd1d1e2c2d2
SHA5128c4bc4ae3a25809eae39ccdae22acf70b5c3cc24d3ca187929fefb2bdf6ddc0688b5295da2e9aeee9064f77cd020e270f177d4213ba161a0869800c98cef3cc9
-
C:\Users\Admin\AppData\Local\Temp\c619c2b5-87db-4315-a48e-ee99d2865150.vbsFilesize
709B
MD5edc31b21d1ff42c6cb3d47f2e5539cb1
SHA1c9f408c62cdde10af49e863b0a0c6cbb4a3b7054
SHA2568db81f83468aa410fa5b90c33d75b6e0519ed33e5877ede782e31c15357f5b5c
SHA51263167e6fc3f8ce497653e424a906638d797c27cbafcaf612da05a1d0939e455b9d97cd99498faad8f7fec7d2f2a52609f9e2518d435b83be0d58ffbdddac8c79
-
C:\Users\Admin\AppData\Local\Temp\ca423b83-c3e1-47a5-9ecf-8576ee80486c.vbsFilesize
485B
MD5a063c562d1aef0945bb3b40edc47589d
SHA16d12743c69567bb9d087f1808a9079b83389fbb9
SHA2568db9d21ccf39ad9fb52e281e3b5ccc27fd02a9045ba22b9859d8229df2c4362c
SHA51238fd99e1093d53acb72945459749d4742ce035140e17ccfe09b8a63eb8a757d83a15e4117fca024d2c14e8ee6f3ec00205dfbdef8fdba107532407db177bffb3
-
C:\Users\Admin\AppData\Local\Temp\d3ef5ad8-3ae2-46ed-a311-03d071421781.vbsFilesize
485B
MD507dc24a9465c9e134076ef1e04a89817
SHA14a8a4059ff9cb53f5e4fa4f23454426b0eab55b2
SHA256cfcdb3391bb39823f1a430376565cee9e928978ff35328d17399f724c80482c1
SHA5127ce4a9678d44cb67a6cbd4a8fb1746eaf1a088568df305412a163e1096bc71cef8d5ecc9ff3f959aeef9caae426a71a46e9852c1f456206fa7a946a1fd76beb1
-
C:\Users\Admin\AppData\Local\Temp\d888000a-f067-4dae-97b2-bdd7dc3116ec.vbsFilesize
709B
MD5df8e7790dca421001947935675490926
SHA143601c6ce7a29624f4d96b65fa76d4def9fe2ca0
SHA25685961ef3236f221d7e80c8a49961a9218b8614680e31ed3cd6812188d93c1f1a
SHA51290862a6a1e00b1e5f7caaf913eb364413bfbf547f2c80d9212cf9d5e5dcabd9c513af3104accd73d9e9b8a0d6bd8520126abe3fedb169aa5e9231c44e2e609fd
-
C:\Users\Admin\AppData\Local\Temp\e53f6212-924f-42d3-89e6-d49cbd7339b0.vbsFilesize
709B
MD584b81a9e1c5da761d0949ec308676ec7
SHA11d4d69cb38c324231ff55fdf4ccac68aed41d5bb
SHA256998b821378589822aaa5e423fc7264ff2011840780e1d3992464bd5bd969a05b
SHA512f2f85cb14745904f2fc8c3b347e8f0ffc16617df5f9035b47a466421969efd5558cb4d8ac8e417eb34c902fd7bda4b5c27fee63179fe23909088dd7664c29822
-
C:\Users\Admin\AppData\Local\Temp\ec8bf9c2-cfa5-4880-94ee-6d4f296d36f1.vbsFilesize
491B
MD5a1c2ca30d4df6f741e55c36f8a5dd37d
SHA1448780363dce80afe238c5745587f1c4347b312b
SHA256ce774df252fd0454b4a86fcd80a666acfaab5c4d1f43661c665b4e5d345866fa
SHA512fcfaf07f2a25d52b9714d32007f4401f007f3ee5a2fc52274d7a3d026dca271348cc26aa1a4768cab28cb039d6c0cbd241b574296baed787ad9b119f2113a18a
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
3.7MB
MD53aff466445051bd93a7ea3ae519587ef
SHA1516c1e9da912f6d988146fb812d88bdc7b30588a
SHA25647f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
SHA5123870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
C:\Users\Admin\AppData\Local\Temp\ffa5c4ed-8f80-4922-8b03-4dd6b6c62c0c.vbsFilesize
709B
MD5ebe6604d9ccaa634613113af50bccb11
SHA19a39304f1d51db1920c5df1698a22c23ecca4e24
SHA2560ab4d64f118dbc8672a691a0e7b865119c97d0d4e236b20f90374b25226e9ba3
SHA512a3d65f0f9f65be3884a136726e3be5ac683fb316ba36967511c028363b334a55f2b2b412a2287b9501a9a16306547085bb135c23afd55ac1922ec5854f83832a
-
memory/412-349-0x000000001B850000-0x000000001B862000-memory.dmpFilesize
72KB
-
memory/412-229-0x000000001BF00000-0x000000001BF12000-memory.dmpFilesize
72KB
-
memory/1144-838-0x000000001BFF0000-0x000000001C002000-memory.dmpFilesize
72KB
-
memory/1144-823-0x000000001D7B0000-0x000000001D806000-memory.dmpFilesize
344KB
-
memory/1408-378-0x000000001B520000-0x000000001B532000-memory.dmpFilesize
72KB
-
memory/1448-953-0x000000001C3F0000-0x000000001C402000-memory.dmpFilesize
72KB
-
memory/1972-106-0x000000001BB60000-0x000000001BB72000-memory.dmpFilesize
72KB
-
memory/2076-393-0x0000000002F40000-0x0000000002F52000-memory.dmpFilesize
72KB
-
memory/2100-637-0x000000001D1F0000-0x000000001D202000-memory.dmpFilesize
72KB
-
memory/2176-75-0x000000001BE80000-0x000000001BE88000-memory.dmpFilesize
32KB
-
memory/2176-51-0x000000001B350000-0x000000001B362000-memory.dmpFilesize
72KB
-
memory/2176-70-0x000000001BE30000-0x000000001BE3E000-memory.dmpFilesize
56KB
-
memory/2176-72-0x000000001BE50000-0x000000001BE5E000-memory.dmpFilesize
56KB
-
memory/2176-71-0x000000001BE40000-0x000000001BE48000-memory.dmpFilesize
32KB
-
memory/2176-73-0x000000001BE60000-0x000000001BE68000-memory.dmpFilesize
32KB
-
memory/2176-74-0x000000001BE70000-0x000000001BE7C000-memory.dmpFilesize
48KB
-
memory/2176-41-0x00000000002D0000-0x0000000000638000-memory.dmpFilesize
3.4MB
-
memory/2176-76-0x000000001BF90000-0x000000001BF9A000-memory.dmpFilesize
40KB
-
memory/2176-67-0x000000001BE00000-0x000000001BE08000-memory.dmpFilesize
32KB
-
memory/2176-68-0x000000001BE10000-0x000000001BE1C000-memory.dmpFilesize
48KB
-
memory/2176-64-0x000000001BBD0000-0x000000001BBD8000-memory.dmpFilesize
32KB
-
memory/2176-65-0x000000001BBE0000-0x000000001BBEC000-memory.dmpFilesize
48KB
-
memory/2176-66-0x000000001BBF0000-0x000000001BBFC000-memory.dmpFilesize
48KB
-
memory/2176-63-0x000000001BBC0000-0x000000001BBCC000-memory.dmpFilesize
48KB
-
memory/2176-62-0x000000001C0F0000-0x000000001C618000-memory.dmpFilesize
5.2MB
-
memory/2176-61-0x000000001BB90000-0x000000001BBA2000-memory.dmpFilesize
72KB
-
memory/2176-60-0x000000001BB80000-0x000000001BB88000-memory.dmpFilesize
32KB
-
memory/2176-42-0x0000000002820000-0x000000000282E000-memory.dmpFilesize
56KB
-
memory/2176-59-0x000000001BB70000-0x000000001BB7C000-memory.dmpFilesize
48KB
-
memory/2176-58-0x000000001BB60000-0x000000001BB68000-memory.dmpFilesize
32KB
-
memory/2176-57-0x000000001BB50000-0x000000001BB5C000-memory.dmpFilesize
48KB
-
memory/2176-56-0x000000001BB00000-0x000000001BB56000-memory.dmpFilesize
344KB
-
memory/2176-55-0x000000001B3E0000-0x000000001B3EA000-memory.dmpFilesize
40KB
-
memory/2176-54-0x000000001B3D0000-0x000000001B3E0000-memory.dmpFilesize
64KB
-
memory/2176-53-0x000000001B3C0000-0x000000001B3C8000-memory.dmpFilesize
32KB
-
memory/2176-52-0x000000001B3B0000-0x000000001B3BC000-memory.dmpFilesize
48KB
-
memory/2176-69-0x000000001BE20000-0x000000001BE2A000-memory.dmpFilesize
40KB
-
memory/2176-43-0x000000001B1B0000-0x000000001B1BE000-memory.dmpFilesize
56KB
-
memory/2176-44-0x000000001B1C0000-0x000000001B1C8000-memory.dmpFilesize
32KB
-
memory/2176-46-0x000000001B360000-0x000000001B3B0000-memory.dmpFilesize
320KB
-
memory/2176-47-0x000000001B1F0000-0x000000001B1F8000-memory.dmpFilesize
32KB
-
memory/2176-50-0x000000001B340000-0x000000001B34C000-memory.dmpFilesize
48KB
-
memory/2176-45-0x000000001B1D0000-0x000000001B1EC000-memory.dmpFilesize
112KB
-
memory/2176-48-0x000000001B310000-0x000000001B320000-memory.dmpFilesize
64KB
-
memory/2176-49-0x000000001B320000-0x000000001B336000-memory.dmpFilesize
88KB
-
memory/2208-608-0x000000001C9F0000-0x000000001CA02000-memory.dmpFilesize
72KB
-
memory/2600-151-0x0000000002D20000-0x0000000002D32000-memory.dmpFilesize
72KB
-
memory/3556-1032-0x000000001CBB0000-0x000000001CC06000-memory.dmpFilesize
344KB
-
memory/3560-269-0x000000001B1E0000-0x000000001B1F2000-memory.dmpFilesize
72KB
-
memory/3756-931-0x000000001CDB0000-0x000000001CE06000-memory.dmpFilesize
344KB
-
memory/3876-451-0x000000001BD50000-0x000000001BD62000-memory.dmpFilesize
72KB
-
memory/3876-450-0x00000000033A0000-0x00000000033B2000-memory.dmpFilesize
72KB
-
memory/4080-0-0x00000000005E0000-0x0000000000A78000-memory.dmpFilesize
4.6MB
-
memory/4080-32-0x00007FFF91110000-0x00007FFF91BD2000-memory.dmpFilesize
10.8MB
-
memory/4080-2-0x000000001B7A0000-0x000000001B7B0000-memory.dmpFilesize
64KB
-
memory/4080-1-0x00007FFF91110000-0x00007FFF91BD2000-memory.dmpFilesize
10.8MB
-
memory/4160-793-0x000000001CDF0000-0x000000001CE02000-memory.dmpFilesize
72KB
-
memory/4360-333-0x000000001B830000-0x000000001B842000-memory.dmpFilesize
72KB
-
memory/4732-808-0x000000001D3F0000-0x000000001D402000-memory.dmpFilesize
72KB
-
memory/4736-867-0x000000001BFB0000-0x000000001C006000-memory.dmpFilesize
344KB
-
memory/4944-750-0x000000001D3F0000-0x000000001D402000-memory.dmpFilesize
72KB
-
memory/5548-975-0x000000001BDF0000-0x000000001BE02000-memory.dmpFilesize
72KB