Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-04-2024 20:33
Static task
static1
Behavioral task
behavioral1
Sample
Neverlose.cc Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Neverlose.cc Crack.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Neverlose.cc Crack.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Neverlose.cc Crack.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
Neverlose.cc Crack.exe
Resource
win11-20240419-en
General
-
Target
Neverlose.cc Crack.exe
-
Size
4.6MB
-
MD5
cb2be30171f2abcd864d4afbce7cbf4a
-
SHA1
9b9328b84ca32f6026430b98390e718d971c82ed
-
SHA256
de7598261915dd8568f29b70b0a122daf90a086bb2a4d976474f4873b55949bc
-
SHA512
935fca6c2e7de61a257bb225097308dc243f4cfd470ac70a80ab319c4af0ae5dbcd893fdd3d3558bcebbf7fb129cc96dfdf054b649d44c6be15f5267be73710c
-
SSDEEP
98304:l2wqFuVDp+YL9l5LPDj2VWnPt1Igxrgjc0iXs/oMoaq9l44R0:0wuudpZL9l5LPkw11InWp47
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\lsass.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Internet Explorer\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" intobroker.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 3112 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 3112 schtasks.exe -
Processes:
wininit.exewininit.exewininit.exedllhost.exedllhost.exedllhost.exeRuntimeBroker.exedllhost.exeRuntimeBroker.exewininit.exeRuntimeBroker.exedllhost.exedllhost.exeRuntimeBroker.exewininit.exedllhost.exedllhost.exeRuntimeBroker.exeRuntimeBroker.exedllhost.exedllhost.exeRuntimeBroker.exewininit.exeRuntimeBroker.exewininit.exedllhost.exewininit.exedllhost.exedllhost.exewininit.exewininit.exedllhost.exeRuntimeBroker.exeRuntimeBroker.exeintobroker.exewininit.exedllhost.exeRuntimeBroker.exedllhost.exeRuntimeBroker.exewininit.exedllhost.exewininit.exewininit.exeRuntimeBroker.exewininit.exewininit.exeRuntimeBroker.exeRuntimeBroker.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\explorer.exe dcrat C:\Bridgeserverintocommon\intobroker.exe dcrat behavioral5/memory/2176-41-0x00000000002D0000-0x0000000000638000-memory.dmp dcrat -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeAimStar.exeintobroker.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exeRuntimeBroker.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exewininit.exedllhost.exewininit.exewininit.exewininit.exewininit.exelsass.exedllhost.exewininit.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exepid process 1244 explorer.exe 4728 AimStar.exe 2176 intobroker.exe 2596 dllhost.exe 1972 dllhost.exe 3148 dllhost.exe 872 dllhost.exe 4428 dllhost.exe 2600 dllhost.exe 1236 dllhost.exe 3936 dllhost.exe 1412 dllhost.exe 2180 dllhost.exe 2020 dllhost.exe 3052 dllhost.exe 412 dllhost.exe 2104 dllhost.exe 2840 dllhost.exe 3128 dllhost.exe 3712 dllhost.exe 3560 dllhost.exe 1560 dllhost.exe 808 dllhost.exe 1120 dllhost.exe 1236 dllhost.exe 1672 dllhost.exe 3504 dllhost.exe 2620 dllhost.exe 3368 dllhost.exe 868 dllhost.exe 4360 dllhost.exe 2788 dllhost.exe 536 RuntimeBroker.exe 412 dllhost.exe 2948 dllhost.exe 1632 dllhost.exe 1564 dllhost.exe 1408 dllhost.exe 3024 dllhost.exe 2076 dllhost.exe 5072 dllhost.exe 780 dllhost.exe 2028 dllhost.exe 3020 dllhost.exe 5008 dllhost.exe 2508 dllhost.exe 1992 dllhost.exe 3876 dllhost.exe 2332 dllhost.exe 1216 dllhost.exe 236 wininit.exe 2768 dllhost.exe 3484 wininit.exe 1088 wininit.exe 1492 wininit.exe 2944 wininit.exe 3928 lsass.exe 2004 dllhost.exe 2320 wininit.exe 1044 RuntimeBroker.exe 4764 RuntimeBroker.exe 3344 RuntimeBroker.exe 4608 RuntimeBroker.exe 2748 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
intobroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Internet Explorer\\lsass.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Internet Explorer\\lsass.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" intobroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" intobroker.exe -
Processes:
dllhost.exeRuntimeBroker.exewininit.exewininit.exedllhost.exewininit.exeRuntimeBroker.exewininit.exedllhost.exeRuntimeBroker.exewininit.exewininit.exedllhost.exeRuntimeBroker.exewininit.exedllhost.exewininit.exedllhost.exeRuntimeBroker.exewininit.exedllhost.exedllhost.exewininit.exewininit.exedllhost.exedllhost.exedllhost.exewininit.exewininit.exewininit.exeRuntimeBroker.exewininit.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exeRuntimeBroker.exewininit.exedllhost.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exewininit.exedllhost.exewininit.exewininit.exeRuntimeBroker.exewininit.exewininit.exeRuntimeBroker.exewininit.exewininit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Drops file in Program Files directory 3 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\6203df4a6bafc7 intobroker.exe File created C:\Program Files (x86)\Internet Explorer\lsass.exe intobroker.exe File opened for modification C:\Program Files (x86)\Internet Explorer\lsass.exe intobroker.exe -
Drops file in Windows directory 1 IoCs
Processes:
intobroker.exedescription ioc process File created C:\Windows\System\Speech\System.exe intobroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3712 schtasks.exe 236 schtasks.exe 3264 schtasks.exe 4560 schtasks.exe 2488 schtasks.exe 4584 schtasks.exe 2400 schtasks.exe 4636 schtasks.exe 1952 schtasks.exe 4108 schtasks.exe 4092 schtasks.exe 3132 schtasks.exe -
Modifies registry class 64 IoCs
Processes:
RuntimeBroker.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exewininit.exedllhost.exedllhost.exeRuntimeBroker.exewininit.exedllhost.exewininit.exedllhost.exeRuntimeBroker.exewininit.exewininit.exewininit.exedllhost.exedllhost.exedllhost.exedllhost.exewininit.exeRuntimeBroker.exedllhost.exeRuntimeBroker.exewininit.exewininit.exewininit.exedllhost.exedllhost.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exewininit.exeRuntimeBroker.exeRuntimeBroker.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exeRuntimeBroker.exedllhost.exewininit.exewininit.exedllhost.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedllhost.exeRuntimeBroker.exeRuntimeBroker.exewininit.exewininit.exewininit.exewininit.exewininit.exedllhost.exedllhost.exedllhost.exedllhost.exeRuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
intobroker.exedllhost.exepid process 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2176 intobroker.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe 2596 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
intobroker.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exeRuntimeBroker.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exewininit.exedllhost.exewininit.exewininit.exewininit.exewininit.exelsass.exedllhost.exewininit.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 2176 intobroker.exe Token: SeDebugPrivilege 2596 dllhost.exe Token: SeDebugPrivilege 1972 dllhost.exe Token: SeDebugPrivilege 3148 dllhost.exe Token: SeDebugPrivilege 872 dllhost.exe Token: SeDebugPrivilege 4428 dllhost.exe Token: SeDebugPrivilege 2600 dllhost.exe Token: SeDebugPrivilege 1236 dllhost.exe Token: SeDebugPrivilege 3936 dllhost.exe Token: SeDebugPrivilege 1412 dllhost.exe Token: SeDebugPrivilege 2180 dllhost.exe Token: SeDebugPrivilege 2020 dllhost.exe Token: SeDebugPrivilege 3052 dllhost.exe Token: SeDebugPrivilege 412 dllhost.exe Token: SeDebugPrivilege 2104 dllhost.exe Token: SeDebugPrivilege 2840 dllhost.exe Token: SeDebugPrivilege 3128 dllhost.exe Token: SeDebugPrivilege 3712 dllhost.exe Token: SeDebugPrivilege 3560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 808 dllhost.exe Token: SeDebugPrivilege 1120 dllhost.exe Token: SeDebugPrivilege 1236 dllhost.exe Token: SeDebugPrivilege 1672 dllhost.exe Token: SeDebugPrivilege 3504 dllhost.exe Token: SeDebugPrivilege 2620 dllhost.exe Token: SeDebugPrivilege 868 dllhost.exe Token: SeDebugPrivilege 4360 dllhost.exe Token: SeDebugPrivilege 2788 dllhost.exe Token: SeDebugPrivilege 536 RuntimeBroker.exe Token: SeDebugPrivilege 412 dllhost.exe Token: SeDebugPrivilege 2948 dllhost.exe Token: SeDebugPrivilege 1632 dllhost.exe Token: SeDebugPrivilege 1564 dllhost.exe Token: SeDebugPrivilege 1408 dllhost.exe Token: SeDebugPrivilege 3024 dllhost.exe Token: SeDebugPrivilege 2076 dllhost.exe Token: SeDebugPrivilege 5072 dllhost.exe Token: SeDebugPrivilege 780 dllhost.exe Token: SeDebugPrivilege 2028 dllhost.exe Token: SeDebugPrivilege 3020 dllhost.exe Token: SeDebugPrivilege 5008 dllhost.exe Token: SeDebugPrivilege 2508 dllhost.exe Token: SeDebugPrivilege 1992 dllhost.exe Token: SeDebugPrivilege 3876 dllhost.exe Token: SeDebugPrivilege 2332 dllhost.exe Token: SeDebugPrivilege 1216 dllhost.exe Token: SeDebugPrivilege 236 wininit.exe Token: SeDebugPrivilege 2768 dllhost.exe Token: SeDebugPrivilege 3484 wininit.exe Token: SeDebugPrivilege 1088 wininit.exe Token: SeDebugPrivilege 1492 wininit.exe Token: SeDebugPrivilege 2944 wininit.exe Token: SeDebugPrivilege 3928 lsass.exe Token: SeDebugPrivilege 2004 dllhost.exe Token: SeDebugPrivilege 2320 wininit.exe Token: SeDebugPrivilege 1044 RuntimeBroker.exe Token: SeDebugPrivilege 4764 RuntimeBroker.exe Token: SeDebugPrivilege 3344 RuntimeBroker.exe Token: SeDebugPrivilege 4608 RuntimeBroker.exe Token: SeDebugPrivilege 2748 RuntimeBroker.exe Token: SeDebugPrivilege 1464 RuntimeBroker.exe Token: SeDebugPrivilege 3448 RuntimeBroker.exe Token: SeDebugPrivilege 3864 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Neverlose.cc Crack.exeexplorer.exeWScript.execmd.exeintobroker.execmd.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exeWScript.exedescription pid process target process PID 4080 wrote to memory of 1244 4080 Neverlose.cc Crack.exe explorer.exe PID 4080 wrote to memory of 1244 4080 Neverlose.cc Crack.exe explorer.exe PID 4080 wrote to memory of 1244 4080 Neverlose.cc Crack.exe explorer.exe PID 4080 wrote to memory of 4728 4080 Neverlose.cc Crack.exe AimStar.exe PID 4080 wrote to memory of 4728 4080 Neverlose.cc Crack.exe AimStar.exe PID 1244 wrote to memory of 3128 1244 explorer.exe WScript.exe PID 1244 wrote to memory of 3128 1244 explorer.exe WScript.exe PID 1244 wrote to memory of 3128 1244 explorer.exe WScript.exe PID 1244 wrote to memory of 2856 1244 explorer.exe WScript.exe PID 1244 wrote to memory of 2856 1244 explorer.exe WScript.exe PID 1244 wrote to memory of 2856 1244 explorer.exe WScript.exe PID 3128 wrote to memory of 4196 3128 WScript.exe cmd.exe PID 3128 wrote to memory of 4196 3128 WScript.exe cmd.exe PID 3128 wrote to memory of 4196 3128 WScript.exe cmd.exe PID 4196 wrote to memory of 2176 4196 cmd.exe intobroker.exe PID 4196 wrote to memory of 2176 4196 cmd.exe intobroker.exe PID 2176 wrote to memory of 3440 2176 intobroker.exe cmd.exe PID 2176 wrote to memory of 3440 2176 intobroker.exe cmd.exe PID 3440 wrote to memory of 788 3440 cmd.exe w32tm.exe PID 3440 wrote to memory of 788 3440 cmd.exe w32tm.exe PID 3440 wrote to memory of 2596 3440 cmd.exe dllhost.exe PID 3440 wrote to memory of 2596 3440 cmd.exe dllhost.exe PID 2596 wrote to memory of 2624 2596 dllhost.exe WScript.exe PID 2596 wrote to memory of 2624 2596 dllhost.exe WScript.exe PID 2596 wrote to memory of 864 2596 dllhost.exe WScript.exe PID 2596 wrote to memory of 864 2596 dllhost.exe WScript.exe PID 2624 wrote to memory of 1972 2624 WScript.exe dllhost.exe PID 2624 wrote to memory of 1972 2624 WScript.exe dllhost.exe PID 1972 wrote to memory of 2432 1972 dllhost.exe WScript.exe PID 1972 wrote to memory of 2432 1972 dllhost.exe WScript.exe PID 1972 wrote to memory of 3904 1972 dllhost.exe WScript.exe PID 1972 wrote to memory of 3904 1972 dllhost.exe WScript.exe PID 2432 wrote to memory of 3148 2432 WScript.exe dllhost.exe PID 2432 wrote to memory of 3148 2432 WScript.exe dllhost.exe PID 3148 wrote to memory of 708 3148 dllhost.exe WScript.exe PID 3148 wrote to memory of 708 3148 dllhost.exe WScript.exe PID 3148 wrote to memory of 1952 3148 dllhost.exe WScript.exe PID 3148 wrote to memory of 1952 3148 dllhost.exe WScript.exe PID 708 wrote to memory of 872 708 WScript.exe dllhost.exe PID 708 wrote to memory of 872 708 WScript.exe dllhost.exe PID 872 wrote to memory of 2992 872 dllhost.exe WScript.exe PID 872 wrote to memory of 2992 872 dllhost.exe WScript.exe PID 872 wrote to memory of 2456 872 dllhost.exe WScript.exe PID 872 wrote to memory of 2456 872 dllhost.exe WScript.exe PID 2992 wrote to memory of 4428 2992 WScript.exe dllhost.exe PID 2992 wrote to memory of 4428 2992 WScript.exe dllhost.exe PID 4428 wrote to memory of 3040 4428 dllhost.exe WScript.exe PID 4428 wrote to memory of 3040 4428 dllhost.exe WScript.exe PID 4428 wrote to memory of 4008 4428 dllhost.exe WScript.exe PID 4428 wrote to memory of 4008 4428 dllhost.exe WScript.exe PID 3040 wrote to memory of 2600 3040 WScript.exe dllhost.exe PID 3040 wrote to memory of 2600 3040 WScript.exe dllhost.exe PID 2600 wrote to memory of 904 2600 dllhost.exe WScript.exe PID 2600 wrote to memory of 904 2600 dllhost.exe WScript.exe PID 2600 wrote to memory of 3000 2600 dllhost.exe WScript.exe PID 2600 wrote to memory of 3000 2600 dllhost.exe WScript.exe PID 904 wrote to memory of 1236 904 WScript.exe dllhost.exe PID 904 wrote to memory of 1236 904 WScript.exe dllhost.exe PID 1236 wrote to memory of 5000 1236 dllhost.exe WScript.exe PID 1236 wrote to memory of 5000 1236 dllhost.exe WScript.exe PID 1236 wrote to memory of 2464 1236 dllhost.exe WScript.exe PID 1236 wrote to memory of 2464 1236 dllhost.exe WScript.exe PID 5000 wrote to memory of 3936 5000 WScript.exe dllhost.exe PID 5000 wrote to memory of 3936 5000 WScript.exe dllhost.exe -
System policy modification 1 TTPs 64 IoCs
Processes:
dllhost.exewininit.exeintobroker.exedllhost.exedllhost.exewininit.exewininit.exewininit.exedllhost.exedllhost.exeRuntimeBroker.exeRuntimeBroker.exewininit.exewininit.exeRuntimeBroker.exeRuntimeBroker.exedllhost.exewininit.exewininit.exewininit.exewininit.exewininit.exedllhost.exedllhost.exewininit.exeRuntimeBroker.exedllhost.exedllhost.exeRuntimeBroker.exewininit.exewininit.exedllhost.exedllhost.exewininit.exeRuntimeBroker.exewininit.exewininit.exeRuntimeBroker.exewininit.exewininit.exedllhost.exeRuntimeBroker.exedllhost.exewininit.exewininit.exewininit.exedllhost.exedllhost.exedllhost.exedllhost.exewininit.exewininit.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" intobroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"C:\Users\Admin\AppData\Local\Temp\Neverlose.cc Crack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Bridgeserverintocommon\intobroker.exe"C:\Bridgeserverintocommon\intobroker.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L0XaTsj2YO.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d888000a-f067-4dae-97b2-bdd7dc3116ec.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5259f394-9c3b-4a35-b9ba-47aba974bf69.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe11⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1832da-5f78-44ae-ac58-ab65415efb68.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe13⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12e7d9e5-f22d-4585-b3f0-d210976fdd73.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25411de5-3532-463c-ad6a-08a34584af6c.vbs"16⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe17⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7926de01-fc77-40c6-8560-d0602de73fd7.vbs"18⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce88bea-3f0d-44ea-9f20-ba7cecbcf361.vbs"20⤵
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c619c2b5-87db-4315-a48e-ee99d2865150.vbs"22⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe23⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e53f6212-924f-42d3-89e6-d49cbd7339b0.vbs"24⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe25⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffa5c4ed-8f80-4922-8b03-4dd6b6c62c0c.vbs"26⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e531bb5-f608-48a3-895a-e56a4cd085e4.vbs"28⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01bba978-0e5d-4998-b927-bfd56e4cb24f.vbs"30⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\649a2fbf-16fe-43c2-a7e1-bb968f5ebde0.vbs"32⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe33⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6b0b24-5ab2-478e-86d4-9d28a80cc935.vbs"34⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe35⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb088a59-18ca-4b83-9479-4b1ccc10fec1.vbs"36⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54276e7b-3bcd-4262-9771-a34a103a1a5f.vbs"38⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe39⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6d20dd-79bc-4c64-8c58-cfe904260f6e.vbs"40⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe41⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe19d7b2-14ac-4afa-ac65-bf0071fef492.vbs"42⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe43⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5df5a642-4175-4f0c-9db2-11a3b25d8d34.vbs"44⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe45⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12c31c26-d0d3-4bd5-aedd-d9b2f7475c3c.vbs"46⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe47⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afb9356e-8686-40d2-994e-d240c45c4b97.vbs"48⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe49⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\270957f0-f4e2-4186-ae55-76456699de04.vbs"50⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe51⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30fd5d81-94a2-480e-ac8f-91b6d23f6d4b.vbs"52⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe53⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b4603ae-164f-46a8-8100-8ec8138677d1.vbs"54⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe55⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec43b257-d12d-4663-9f20-daef8dce8772.vbs"56⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe57⤵
- Executes dropped EXE
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\832a5fab-7e87-4c4c-a85c-8cec4eefb547.vbs"58⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f1b114-a66f-4cc2-b840-402359de0605.vbs"60⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe61⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02cb0ea2-340a-4c34-a177-08e1d730e305.vbs"62⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe63⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5724fd4-a8a1-4923-a832-848846134492.vbs"64⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe65⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e5da6e8-7679-420d-b89d-e2058cb2cb03.vbs"66⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe67⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d51871b7-411e-402b-bbf8-796ffce543b9.vbs"68⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe69⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681e1dbe-2a08-4cbf-9966-74e1f589778e.vbs"70⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe71⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df4ee476-ce39-49f4-997b-fdce994b8550.vbs"72⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe73⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\349eb97b-4942-4d78-a903-23b7db8c11de.vbs"74⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe75⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b82576e-f2a1-44e4-b834-6de58c88dff9.vbs"76⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe77⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccbd8eaf-d4d9-45a2-96f0-a1c2e3b270c7.vbs"78⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe79⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5041be5f-9bff-4245-9628-dbc8893a6c15.vbs"80⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe81⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c93c81a3-55ec-4445-b9a7-474f82d762b1.vbs"82⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe83⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d7ecac-434c-48bd-be9f-8d0ff0b897ab.vbs"84⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe85⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da7720d2-9477-4422-a0e4-eaba6b669ed1.vbs"86⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe87⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40e1094c-d41f-4b61-8976-f4207e9eced0.vbs"88⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe89⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f61b3e-c6c6-44fd-90df-dfdbcd13ed07.vbs"90⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe91⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b69f64-ec95-4aef-9824-c1be3da034f4.vbs"92⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe93⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f978f59f-8817-495d-b2cb-bbb0f32f69de.vbs"94⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe95⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c293c5a-d4be-4368-b98f-ba2c948946c0.vbs"96⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe97⤵
- UAC bypass
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bcefffb-ce98-495d-b45c-a642c3a7f67a.vbs"98⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe99⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0b293a7-22df-4dba-bddd-f5e33db79033.vbs"98⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8e32291-5e2c-4e4e-9bcb-75345082b1a8.vbs"96⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\170272fa-a057-4fd3-8077-c237695b1e6c.vbs"94⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4658c4f8-4982-4688-a72e-82904fd8d749.vbs"92⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd5dabb-386b-4288-945b-51c804beb05b.vbs"90⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186cff3d-cfbb-4062-8b3a-fcb880adb85d.vbs"88⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8898f6b1-3f6e-4c2d-9017-748d1205acfc.vbs"86⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369f09a9-6db4-403f-b3ab-64e2f06a59ef.vbs"84⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aea6369-efc5-49b7-80ad-c1fc805e3d93.vbs"82⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e89bdcc-6eb5-4414-bdd0-63af8475fdee.vbs"80⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211cf535-197a-4b98-abe1-a1401aabf3d8.vbs"78⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19059ba9-3d8c-4e94-8539-ed8e9de782e7.vbs"76⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20e0c6c3-9885-4413-9f7b-e9fec4c602b7.vbs"74⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d1f8c50-2a53-4a10-8668-cd3f47af3069.vbs"72⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7537fd3e-16b6-40fe-abc9-4a79f8bf89dd.vbs"70⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efd83378-391d-4040-b419-9ec96ea3b218.vbs"68⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d797986e-bcfd-46f6-b023-656a82bba707.vbs"66⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c9ee8aa-a39a-44c7-bdf8-4a8b3ca1636a.vbs"64⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd88e66a-5e37-4bfa-882d-743ec21e5ce5.vbs"62⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c65b4ea5-ccd1-423b-9176-152af3461609.vbs"60⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\513ecfb9-6ab0-407e-bb24-327ec7e898cf.vbs"58⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\597854ca-cb08-47a6-8c5e-b1f270e442c5.vbs"56⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2959693-7327-4c87-96fd-faa598c02ead.vbs"54⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e794be-0043-4870-9627-64116ba718f5.vbs"52⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04564da6-a904-4fc4-a806-ecab25aaa499.vbs"50⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5845cda7-d2b2-4efe-a936-c6182a381005.vbs"48⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13a684f2-f18b-4b21-b677-a459286f1711.vbs"46⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afbd9d83-ac24-46ad-9008-c502b58e9966.vbs"44⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b834b2e5-9497-44ac-bed4-a8ff3f4f655e.vbs"42⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d09523b8-c0d8-4cd4-9b75-010e62e1592a.vbs"40⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01fd46ee-5419-4cf8-b1bd-ee0eb704f9b5.vbs"38⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef1407c8-be19-43c5-ae67-1b70ebd002c5.vbs"36⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec516f9-4f60-4a29-a571-197bbbe9d64e.vbs"34⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17678ea4-3b21-4977-9e07-d9ab5928c373.vbs"32⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fdd1bc4-c701-49d8-b622-c26f3b5c606d.vbs"30⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6632acc1-9716-46e9-b5f1-ab8f624107b1.vbs"28⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bdd53f5-c581-4257-bbdf-73ed3baa52a5.vbs"26⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9f3b98-d96b-447e-9da7-e47507eefe64.vbs"24⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d77f3671-3541-4e7d-90e5-ffac6d433d73.vbs"22⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a4ba7ad-53ce-40c3-9fb4-b4ded6a51ea1.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ff04a7-0eda-4167-9426-9601772a4dda.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6465819-8255-4935-9d54-43d48cbad355.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2a3ab0-c708-4d28-9d8b-54e5a149eb27.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bd5a9a-b1e2-4d74-bb00-4c3d4386a935.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbf4545c-23ff-4b68-b7fe-fa182efaf82f.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca423b83-c3e1-47a5-9ecf-8576ee80486c.vbs"8⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exe"C:\Users\Admin\AppData\Local\Temp\AimStar.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1a3e49b-99d8-41c6-9844-8168ee4c80c8.vbs"2⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63b8c705-0150-49e3-bfe6-bf6e1ba7104c.vbs"4⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68213cb3-20e0-4b1b-a9e2-08a29ab381e3.vbs"6⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e29a040b-dca1-4cc9-a376-4a9359ebd9b4.vbs"8⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c311fd1-20ea-40f9-b341-35c154b5183a.vbs"10⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76066860-98e7-4238-b511-3ef95bdb2bb0.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46acc47a-94ed-415f-ba68-99ebeec3a26b.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9441b50c-2a90-4e96-8def-868bc20bdca3.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ef5ad8-3ae2-46ed-a311-03d071421781.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c8dce4b-ba35-4466-87aa-3f52886c7950.vbs"2⤵
-
C:\Program Files (x86)\Internet Explorer\lsass.exe"C:\Program Files (x86)\Internet Explorer\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec4e633b-18c6-451a-9bd3-55631c62c3ed.vbs"2⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153226de-fe37-4799-afac-17cb0c211ccc.vbs"4⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25568f01-f1fc-4055-ad9b-db7e41d93a0f.vbs"6⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe7⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b180c5-3a12-45d5-a0e3-af0dc35a60c1.vbs"8⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82d3d8f6-5d33-4620-bed7-7d5a65ffa390.vbs"10⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33da8c1c-693f-47ee-a1ad-1350747d40bc.vbs"12⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe13⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d1a5bff-4b43-431b-9678-33541abbfd44.vbs"14⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe15⤵
- UAC bypass
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31fd4017-79d6-42a7-bb0c-2fba78a82141.vbs"16⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe17⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f81cc6-e097-478d-87e6-fe0205c23bf7.vbs"18⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe19⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bff00d95-37b5-40d3-8e92-27061b077dff.vbs"20⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe21⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\034bbc51-4e9c-4fa4-a782-6d2c3318429b.vbs"22⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe23⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5e65b52-b5a1-4b2c-a44d-c61d34948806.vbs"24⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe25⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8261d6d-a881-4106-999d-7b020e63b240.vbs"26⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe27⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3544bf7a-0d64-4a7a-9d1d-cac294c1b8db.vbs"28⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe29⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e954887-ce64-487a-bf93-0930655f8005.vbs"30⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe31⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb0b63b7-8085-4768-8401-43997e37f922.vbs"32⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe33⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\469b7ee9-0b4d-4fd6-a36b-fa9c8d5b4488.vbs"34⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe35⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c89ff13-7957-4a50-b21a-819d505e12ac.vbs"36⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe37⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f20f556c-76f4-49d7-a65e-ea2f20ae3303.vbs"38⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe39⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da6e77c-0b51-4be9-b61d-3d4632e1c6b1.vbs"40⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe41⤵
- UAC bypass
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92325426-0ea4-411e-9281-c77c313f42d3.vbs"42⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe43⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\068f63a6-ef01-4892-a34d-e048586663f6.vbs"44⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe45⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\829f2a36-b37b-486b-8d98-e2720080cf6c.vbs"46⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe47⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3036b40a-d9a5-4ece-9bd1-2775a97cee92.vbs"48⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe49⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2c49afb-731e-4813-a6f5-9a6ea8d91be6.vbs"50⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe51⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61c98f55-7d1f-4aca-9a9c-37864c9a75db.vbs"52⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe53⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5dffb53-0f5b-4e3b-a0de-9a6dd3b80877.vbs"54⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe55⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6202f4eb-b825-4cf1-8c33-047d5f5bf35a.vbs"56⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe57⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b359d9c4-6919-42d3-8a10-7ba7b157b2bd.vbs"58⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe59⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f27820d-55d2-416e-9cd1-ff38ccde898e.vbs"60⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe61⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6143548a-6c73-4652-9476-fc52f7bcc904.vbs"62⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe63⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53ac8b47-2e6b-437c-9258-72db5a348de7.vbs"64⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe65⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ec6dbf8-60ba-402a-92e5-ac5bce43da10.vbs"66⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe67⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5bc574c-a0c3-4551-92ca-688096c04c2d.vbs"68⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe69⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fabb4113-72d8-4a75-bb78-a18d0158689a.vbs"70⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe71⤵
- UAC bypass
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22897489-69ab-4be8-8ed0-55c1a4da515c.vbs"72⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe73⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b77f4143-2c3b-4c8d-b36f-1af892384d16.vbs"74⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe75⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e330a647-0ac8-41f5-af89-bd241dc07be7.vbs"76⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe77⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b51084-9b28-4820-8550-91688466a62a.vbs"76⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e367c2e3-333b-42aa-909d-5892fa8111e4.vbs"74⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9deca9da-66fe-4883-9063-4d285942e38c.vbs"72⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe011e2e-da2d-4e9f-8fec-5729372f500b.vbs"70⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc64519f-2856-4ec6-88ea-03ed8116775a.vbs"68⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ea0f09f-1579-4eae-ba10-510bc914d297.vbs"66⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\134c3d35-0e7a-46a4-a0e8-5033eb4fa3b1.vbs"64⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d7fe6f0-c95b-4118-a080-5aec4189ff6f.vbs"62⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d775d89-6a0b-461a-8db1-8341ac4b583e.vbs"60⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\012d7929-2085-46b4-8dc3-c5aa2ad90fc0.vbs"58⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb759537-c712-4929-bc0c-b11f46197a2c.vbs"56⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7eec362c-5eb9-4ff6-9f4d-93e8259f2097.vbs"54⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c587acf-e7b4-4b5f-beaf-a7bae2daa5e2.vbs"52⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9379184-f8cc-444b-a3e2-2496e625067f.vbs"50⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3996ce-0f05-4282-851f-4dc3ef58d75a.vbs"48⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\479743dd-faff-45ce-982b-c35af8095f69.vbs"46⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ed030c1-18e3-4620-915f-ff2827fa6c4e.vbs"44⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a3c7e5a-689a-469f-ad43-731390d8ed8d.vbs"42⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa3f973-fe84-49ac-830f-8ab83c71886a.vbs"40⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85de1a5d-6c60-4d22-9b52-f335fba1be6c.vbs"38⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d460f1fd-ea64-4a7d-a124-6d08b0b98cd9.vbs"36⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198f6cda-020f-4734-9b24-2e4d37a6d015.vbs"34⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164dd677-9ff3-4c05-9d11-00cd6669f228.vbs"32⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c01e0315-d58b-476e-96cc-04a8d946ef0b.vbs"30⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b59fc9b9-9c61-42ab-849c-010827b627aa.vbs"28⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c970facf-fb9f-482d-9843-2f908b5994e8.vbs"26⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f1f1b3a-fd7b-47a0-aeb1-3230bbf46ed2.vbs"24⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1f67c8-21d2-465d-82c9-235633a29dcf.vbs"22⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39bb080f-ee28-44e1-9c63-40190883cb0d.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32c4029b-be60-4e85-a9e1-6399739cce61.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e869c26b-2a3d-4b5f-b692-8eea7b3b59a4.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82715258-70d6-464b-aa2c-c6ae07e1e0a1.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6906cf81-a701-4d70-9932-07be1e6bd443.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56e609f7-697a-4806-a4cf-b13d7dd41432.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65ed9e42-aceb-4e11-910e-209670f47446.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf1bf04-a23c-4044-8ae3-6f346b4a736e.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec8bf9c2-cfa5-4880-94ee-6d4f296d36f1.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84d58a2a-eb22-468e-a923-3cb0cb692985.vbs"2⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe1⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\671544be-9732-4edc-a0e3-b75500a0ad76.vbs"2⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe3⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e94dea9-8ad0-4290-8d8a-d5f44e4eaacb.vbs"4⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe5⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c1003de-2ca6-442c-836f-305c9b3acbda.vbs"6⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe7⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38014573-4050-47ba-9a20-f39bd3f917c2.vbs"8⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe9⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7c15fd5-d73d-422f-b082-215a74ded541.vbs"10⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe11⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d3b7397-b66e-4efc-8e50-678ab6de1a35.vbs"12⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe13⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f9e3196-4a1c-40bc-81f9-7640314e7091.vbs"14⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe15⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a68b638-233c-4a47-9770-29624516c166.vbs"16⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe17⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96003001-068f-4680-90ae-561c2826abc4.vbs"18⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe19⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\855a965d-5914-4180-a626-7752de71a64f.vbs"20⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe21⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4058a1-7619-47d7-83d4-d7d5a7cc554a.vbs"22⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe23⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9326086-1cab-4011-bbae-ce139cc8e94b.vbs"24⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe25⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\692f3add-afcc-4082-9897-1486be3515bd.vbs"26⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe27⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21120d2e-5ad1-4c8f-9da5-889f25f354fb.vbs"28⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe29⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebc98cff-d71f-4db1-88e9-8fdc7ed5fee0.vbs"30⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe31⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2ff42ff-76cd-411f-b2ef-ac98e9231447.vbs"32⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe33⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d433f95-6fcd-451d-8851-fa7238603466.vbs"34⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe35⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90d1da0-2ac2-4f0b-acd3-6c30f431e4cf.vbs"36⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe37⤵
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c89f2469-bb84-41b7-adad-e2585d2dc1df.vbs"38⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe39⤵
- UAC bypass
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9440d36-df50-45f3-ac60-78ef3f77a100.vbs"40⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe41⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e352757-5715-40f9-b668-6474f56b7510.vbs"42⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe43⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29127795-cd68-4f00-bdf5-dd4a282f9473.vbs"44⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe45⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faf2321c-a27b-40e4-899b-d32bb5522bc4.vbs"46⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe47⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb2515f-a061-4f8f-822f-398ed5368252.vbs"48⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe49⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da150f43-b3d1-4c8e-8165-b16e6742f9d0.vbs"50⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe51⤵
- UAC bypass
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66cb9863-7080-4e10-93a8-84267a9a691b.vbs"52⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe53⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1948bb02-20c3-4e35-97eb-d847ab2d5c15.vbs"54⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe55⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6879320-4a64-495c-a106-5bfb1dc97c41.vbs"56⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe57⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac7c2e2-453b-43ef-8439-394634cce938.vbs"58⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe59⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d269832-2790-4d4a-aa8c-0b4d0ab88acf.vbs"60⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe61⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94fba9f7-9ce1-4c08-b54d-bea391e473bd.vbs"62⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe63⤵
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b8c154-d620-4b11-8be5-3a39232ecfc9.vbs"64⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe65⤵
- UAC bypass
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45ec3c2f-cbab-42ca-a9a7-92d695e93190.vbs"66⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe67⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd89abdd-5721-45a4-83fa-18692aa1623e.vbs"68⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe69⤵
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5869ee0-55a6-45b2-83ca-4dd0f524eb37.vbs"70⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe71⤵
- UAC bypass
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f26ccfe-9f7c-4e64-b796-495430291f3c.vbs"72⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe73⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae898ae2-e065-4f36-afdf-8239ade56e3a.vbs"74⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe75⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43d287c5-c420-40bb-a9a2-35b8d948a89d.vbs"76⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe77⤵
- Checks whether UAC is enabled
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2592b695-80f2-40ff-8b5a-aa59f1e3baa5.vbs"78⤵
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe79⤵
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b74b677-8ea8-45be-8775-9c63fb68a96c.vbs"78⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d2a18eb-d9a4-42b5-9cd9-5c1ace9df20b.vbs"76⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d64ad0cf-f534-436c-80c8-c7e0791a534b.vbs"74⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47c7d5f6-42b1-49e1-aa28-df741bc901a0.vbs"72⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f77a09-f2b4-48b3-b764-078edf3ed4b9.vbs"70⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bed9b5e-e319-421b-b4e2-8c401434d8a4.vbs"68⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2632b152-5311-45ae-9d57-118893298cab.vbs"66⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cca0abd2-fd94-40b0-add5-2befc07ed03b.vbs"64⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea907f92-5fbc-48b9-b131-f57d3849c4c7.vbs"62⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5865c6f5-f160-4548-b6a4-ede9c06557ea.vbs"60⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d8e2af-b459-41ea-9a7c-5fbd0c820b1f.vbs"58⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1031bbc-1578-438f-9c40-0947ba730b33.vbs"56⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5901a94d-716c-46f2-8c5d-356fa6b4fdde.vbs"54⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cb598c1-189f-4525-95ed-bbc971796a8b.vbs"52⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92e7720-bcb7-4a80-aa59-a71dde786e7e.vbs"50⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07da1700-8d0c-44a7-8dae-6ed62fead0e5.vbs"48⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6fe4735-3f0d-46fd-a067-899cfde65d82.vbs"46⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed6a050-b5ac-4e53-a673-52729356fc0e.vbs"44⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0dd4dae-3913-43dc-90f3-b38d4a5a9f36.vbs"42⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7d432c9-477a-4a23-96fa-4e09260d4169.vbs"40⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2741ae44-0bfd-40ff-8d7b-db35d3903a1d.vbs"38⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944c1096-9220-4bf2-9528-bc23efd468cd.vbs"36⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f31a92b0-a8a7-472d-8d71-8db275b551b6.vbs"34⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed229ad-376f-4224-8df6-9e1b80d34731.vbs"32⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6f3566e-6454-476a-b9f6-1a77344e8c7a.vbs"30⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63de7335-0b06-4cae-8d3b-a46d35794d7e.vbs"28⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce26ae1b-2d2c-49df-b0e3-32693de06c1e.vbs"26⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed92687a-a79a-464d-9334-4d2cb62ffd75.vbs"24⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c932af-2d38-41e1-8a97-d496a0ec7705.vbs"22⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c564a0-4579-4273-a08a-0557299b887b.vbs"20⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66638d9f-002c-4cb1-8ef7-cd3c532d0a4f.vbs"18⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d43634ff-faf9-4e4a-ba73-30f19705d1fe.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7830816-0a22-4090-bfc2-c4a253058d31.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2284a41e-5908-46a1-a79e-9d6e835af824.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5984179c-e716-4dee-a1e4-54bb2cc88ad2.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc43f0a-afe7-495e-aa27-a2436b925282.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a15ceab6-0fd7-4886-8b0d-ced2e1438b84.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5e52895-461c-4c15-825a-de9ded2a04ff.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1608ef2f-1168-4a08-ae8d-1cd6348f241c.vbs"2⤵
-
C:\Program Files (x86)\Internet Explorer\lsass.exe"C:\Program Files (x86)\Internet Explorer\lsass.exe"1⤵
-
C:\Recovery\WindowsRE\dllhost.exeC:\Recovery\WindowsRE\dllhost.exe1⤵
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.batFilesize
42B
MD59005984f23c241ae6504691edad99db9
SHA150ec3cca58fd37b1853bd144854fb0242019d2b9
SHA256e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de
SHA512183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff
-
C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbeFilesize
227B
MD58ad651de9eab5382f5aeb6e0a38e22bc
SHA1c45b320fdec6e25ccacc31bdf3999a6fec82c9a0
SHA256adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01
SHA5126fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a
-
C:\Bridgeserverintocommon\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Bridgeserverintocommon\intobroker.exeFilesize
3.4MB
MD534f09d31d624cddea4794d6b60fb342a
SHA121dae839ec2ac251c1d80d51e32e5b0f7c9c208f
SHA256fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f
SHA512e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.logFilesize
1KB
MD5b058942fe750846925da0c79dbad94ec
SHA1338efbdf7514f23e73dac4e69c6e9b979b0c902f
SHA256de170e04a6f6e8c23b3c293a4c9386ec929f3ab0b79d0051fbe285a894edb559
SHA512bcfa26f2dc24237eefd8070714735a0ebde5a3f83845f31ea412807e98b61f93ea96b6f1166d21e0bcec948483347790b2238151caceadcb0ec353dd877f375e
-
C:\Users\Admin\AppData\Local\Temp\01bba978-0e5d-4998-b927-bfd56e4cb24f.vbsFilesize
709B
MD592c956f071c09915d1cfb9ed5323947b
SHA12a62ad669cdeed7ab7d8e055d5d7ac0455330714
SHA256a6a210ca6c4a7dda997ace1193c7b722abf8cdbabe5a27bb28886e2da243860d
SHA512df2ced8535a7b0827d7e4d3c3e2a7a0c9a5e56ddbcff5633e1f9d4991327ef9aba6aca7338ec152445cce56707b12054233b42b3fca61383f8489e39511e8309
-
C:\Users\Admin\AppData\Local\Temp\12e7d9e5-f22d-4585-b3f0-d210976fdd73.vbsFilesize
708B
MD54f8e53583394c70b0cde7ac37950a4fc
SHA108da27d323b012321038757959eb7f6106da2a60
SHA256aa27d70ad3a976d8d210901cf62fb4ec8147998694d05d4b796baae3adfad917
SHA512bad5964428f411231bf3a1d11969c46743c96b569d31670abfded1b69ad5ee4b39ad8491edbc1dbf6f2c07439aa62cecce49e169c91ca84541358f14ef5acf34
-
C:\Users\Admin\AppData\Local\Temp\25411de5-3532-463c-ad6a-08a34584af6c.vbsFilesize
709B
MD51b63ab46d699c684e6c215e8948de984
SHA149aac00a955632e9009554a82f9f1d9d231d37da
SHA2561a49648debfa6ec0859f8dab5a0fc8bd1d53233359248a7566a7e8e18ad11c50
SHA512c3a4c760201edad9e38dc4415f2273dfa2ac37539cd70eb52fee32eec0448f1889df9ed8d5b8ff5f87b7b67ea67e4cabd05cb21182854f3ebc32dc1ad5a87ef6
-
C:\Users\Admin\AppData\Local\Temp\2f1832da-5f78-44ae-ac58-ab65415efb68.vbsFilesize
709B
MD513ec4414642dc109f6bc823ee98ae05e
SHA19595853147ab7315974bc5a1085a0f349f66b56b
SHA25625a0745dcc50b3e205f8f709cf719fafaf342c00681253fcc00e870ac56d4d14
SHA512b5830a2ff7c5e6f0fcdc07a999b40960c00189512b39100dc960173c87b2f63df1a1b76a2dfbe92ed49c083a2d145bc29684afa6241b8dfd29d3e46c1c5c4cbd
-
C:\Users\Admin\AppData\Local\Temp\45ec3c2f-cbab-42ca-a9a7-92d695e93190.vbsFilesize
709B
MD5ddd7eb746e801fa8a634af91ae464666
SHA189bb99a5eb6ba632083df438ebd4637fdd7cd804
SHA2568e1e18001c7e498db58a3636e9ab54b7d37807a3cccabc35da7761f2fc613a84
SHA5123fa3affaff313934bbaf93e0c42db58f5b2a4450aa8fc0e030d0cdfd8e3d628fc1265425e25566178100e100732fb1542852f2d94ee475fd048e7ce7c3f3b31d
-
C:\Users\Admin\AppData\Local\Temp\4ce88bea-3f0d-44ea-9f20-ba7cecbcf361.vbsFilesize
709B
MD5fd127fcf7511335cc67fd7f6baf6698f
SHA1258e2f779e8a061f38e435f9d7277bb28f6c4053
SHA256decd3dd003df2d90f2a0d2bcb6e47f9c9ff2815def8b675f1a23792e132c4c5a
SHA512da3dc7ce07a7b6a29a25d92cc59f7021f998a411e17d3a634456544b7388f653cbda29e7ca3552a299f1ae9b115433ab374b0396733193ab740ea6571351a86d
-
C:\Users\Admin\AppData\Local\Temp\5259f394-9c3b-4a35-b9ba-47aba974bf69.vbsFilesize
709B
MD52bf0612845f4c628eb567f843b2a1ef3
SHA1b8faab40894a0409a80e2f2de523cf103f0207d2
SHA2562054ede9cdcf9e8efa7c04199c54707f6a496074a299bdf3581fcea1616c50d1
SHA512af4d4468b6db7691e8562bd002fffc9629d2d10f297403aa286aaccb84209fe6f32b5fb6649bc891eefed9e0ad29d8390e665a5fae78d35dec039ec99e23da57
-
C:\Users\Admin\AppData\Local\Temp\5a68b638-233c-4a47-9770-29624516c166.vbsFilesize
708B
MD5f297ed7bd394dccda0e01f4c26191e3c
SHA19bf334af3d6f0b9352280b84c8e7fe8c7efd034d
SHA256289415fcc70d9d478c14833956ac6a852b4e6d5bf5598a9e1d799f5140b34329
SHA51248009f3a8db082ceff225d281eccc54e9a6b84b0d2b6ec3ca3a9beb56c3848a25c60601ba911d11e8376f48b1350684ebb7e3d17cc1f432e1008c15c410635e8
-
C:\Users\Admin\AppData\Local\Temp\649a2fbf-16fe-43c2-a7e1-bb968f5ebde0.vbsFilesize
708B
MD5c0a96b9fedb479d07652c28bbb5af394
SHA1611e2a3fa1eb7440efa9a9e1213d01f0092c57ee
SHA256865bd8e8d585b2b364774ce615c82bbf21174f8eae774c712aba404c3dce2bbd
SHA5126e5aeed8a94e57e14cd40078f6188c27590e703945886262c7acffa70867812a9b5fabf264d3d5eb942dee3960f7fb00e62067f20f909f7cd0dbc043ae4a7c41
-
C:\Users\Admin\AppData\Local\Temp\7926de01-fc77-40c6-8560-d0602de73fd7.vbsFilesize
709B
MD5d01e48ce01ec5bae7230f4749aa36540
SHA1f456038daca845cfb16e30a33f4967adea74f678
SHA25618753e9397d3112772d869351fa4f22414cba3586912eca6fbf4880a6cb41e18
SHA512f4ef5bd87059b35d89e7e65f5bb15c5023ea5fa09672e88dd4fe08e04449094898f2ebbc677943af724fb00790d3760294615f1c419a7a0d3d494dc1fb3d5499
-
C:\Users\Admin\AppData\Local\Temp\7e531bb5-f608-48a3-895a-e56a4cd085e4.vbsFilesize
709B
MD558a449e4586ad6ef712dec5b5d9e234f
SHA12c95220bc0b0fd05ce0e804e0fd168258f819113
SHA2569673f607f746a2ddbd1295a9a5cc199cf71b1e7139c9554caf9ee0912edbd4f7
SHA512c4fa112951c088dc757f10ccf905db37d48547eeaf893aa8e9c0b232e7fd7ed617e8b52de0d4473a1b382360bf5b03fcf6fc02a46c908f3b525192bdd3e5cb55
-
C:\Users\Admin\AppData\Local\Temp\7f27820d-55d2-416e-9cd1-ff38ccde898e.vbsFilesize
715B
MD5b1c397f2afbbe58146c4129960afb041
SHA1cf2479ea0e77373eacd717d930115c0a6cbee4e8
SHA2560ddd63c919df94ae9669b2e69632b50d342af7068ffcfcb08dbabae154055f37
SHA512b0721fd7c24fba7a474359b49f5403f5c78f9640b5bd73a9ee41bd38f8bab60610f5885461f84392f724dce2c4eed26949442db104bca2fb4c2940741b1c9392
-
C:\Users\Admin\AppData\Local\Temp\96003001-068f-4680-90ae-561c2826abc4.vbsFilesize
709B
MD5b8de523162982fb95f3fc7f95e377429
SHA1dd1cffd88333d62ff3d973a215631eee9478bc32
SHA25606caf65f80f6121e143462954364c9d34545ef61bb3cefbc1f053235479d63a8
SHA5129c06a3b7d4c3f3e2d498b2cb7fd41fa8706ecbd444e1a76c8a08ca74e405e8fdabe30a6d8f91486cde8a7065276f363f82b3207ca19b1048770e820068874626
-
C:\Users\Admin\AppData\Local\Temp\AimStar.exeFilesize
2.2MB
MD561f4153bfff66366181c4102763763b6
SHA169e7786d66e718426321e2db61a6bafb3129b6a9
SHA256e785f907b24d5397d7dc19386dd8fcceb442395b67c023ab43f8aa9b0346c199
SHA512e98b2d49cd3e189e37670b937954e46b3c8f002dffb4bfcc764d8145acdd6b33042d408b05883cd8f3678382bb02ba58fc84e10273778307630c8ec49c24d4bb
-
C:\Users\Admin\AppData\Local\Temp\L0XaTsj2YO.batFilesize
198B
MD5da39f87d62b1368a4af5e8698f0149bd
SHA1398bf43e0328f11986bc68fb45b8dcc488deb96e
SHA2562265ab2f539afe65eb32b01086d6a1c904a01639bb5f1121ca016dd1d1e2c2d2
SHA5128c4bc4ae3a25809eae39ccdae22acf70b5c3cc24d3ca187929fefb2bdf6ddc0688b5295da2e9aeee9064f77cd020e270f177d4213ba161a0869800c98cef3cc9
-
C:\Users\Admin\AppData\Local\Temp\c619c2b5-87db-4315-a48e-ee99d2865150.vbsFilesize
709B
MD5edc31b21d1ff42c6cb3d47f2e5539cb1
SHA1c9f408c62cdde10af49e863b0a0c6cbb4a3b7054
SHA2568db81f83468aa410fa5b90c33d75b6e0519ed33e5877ede782e31c15357f5b5c
SHA51263167e6fc3f8ce497653e424a906638d797c27cbafcaf612da05a1d0939e455b9d97cd99498faad8f7fec7d2f2a52609f9e2518d435b83be0d58ffbdddac8c79
-
C:\Users\Admin\AppData\Local\Temp\ca423b83-c3e1-47a5-9ecf-8576ee80486c.vbsFilesize
485B
MD5a063c562d1aef0945bb3b40edc47589d
SHA16d12743c69567bb9d087f1808a9079b83389fbb9
SHA2568db9d21ccf39ad9fb52e281e3b5ccc27fd02a9045ba22b9859d8229df2c4362c
SHA51238fd99e1093d53acb72945459749d4742ce035140e17ccfe09b8a63eb8a757d83a15e4117fca024d2c14e8ee6f3ec00205dfbdef8fdba107532407db177bffb3
-
C:\Users\Admin\AppData\Local\Temp\d3ef5ad8-3ae2-46ed-a311-03d071421781.vbsFilesize
485B
MD507dc24a9465c9e134076ef1e04a89817
SHA14a8a4059ff9cb53f5e4fa4f23454426b0eab55b2
SHA256cfcdb3391bb39823f1a430376565cee9e928978ff35328d17399f724c80482c1
SHA5127ce4a9678d44cb67a6cbd4a8fb1746eaf1a088568df305412a163e1096bc71cef8d5ecc9ff3f959aeef9caae426a71a46e9852c1f456206fa7a946a1fd76beb1
-
C:\Users\Admin\AppData\Local\Temp\d888000a-f067-4dae-97b2-bdd7dc3116ec.vbsFilesize
709B
MD5df8e7790dca421001947935675490926
SHA143601c6ce7a29624f4d96b65fa76d4def9fe2ca0
SHA25685961ef3236f221d7e80c8a49961a9218b8614680e31ed3cd6812188d93c1f1a
SHA51290862a6a1e00b1e5f7caaf913eb364413bfbf547f2c80d9212cf9d5e5dcabd9c513af3104accd73d9e9b8a0d6bd8520126abe3fedb169aa5e9231c44e2e609fd
-
C:\Users\Admin\AppData\Local\Temp\e53f6212-924f-42d3-89e6-d49cbd7339b0.vbsFilesize
709B
MD584b81a9e1c5da761d0949ec308676ec7
SHA11d4d69cb38c324231ff55fdf4ccac68aed41d5bb
SHA256998b821378589822aaa5e423fc7264ff2011840780e1d3992464bd5bd969a05b
SHA512f2f85cb14745904f2fc8c3b347e8f0ffc16617df5f9035b47a466421969efd5558cb4d8ac8e417eb34c902fd7bda4b5c27fee63179fe23909088dd7664c29822
-
C:\Users\Admin\AppData\Local\Temp\ec8bf9c2-cfa5-4880-94ee-6d4f296d36f1.vbsFilesize
491B
MD5a1c2ca30d4df6f741e55c36f8a5dd37d
SHA1448780363dce80afe238c5745587f1c4347b312b
SHA256ce774df252fd0454b4a86fcd80a666acfaab5c4d1f43661c665b4e5d345866fa
SHA512fcfaf07f2a25d52b9714d32007f4401f007f3ee5a2fc52274d7a3d026dca271348cc26aa1a4768cab28cb039d6c0cbd241b574296baed787ad9b119f2113a18a
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
3.7MB
MD53aff466445051bd93a7ea3ae519587ef
SHA1516c1e9da912f6d988146fb812d88bdc7b30588a
SHA25647f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e
SHA5123870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f
-
C:\Users\Admin\AppData\Local\Temp\ffa5c4ed-8f80-4922-8b03-4dd6b6c62c0c.vbsFilesize
709B
MD5ebe6604d9ccaa634613113af50bccb11
SHA19a39304f1d51db1920c5df1698a22c23ecca4e24
SHA2560ab4d64f118dbc8672a691a0e7b865119c97d0d4e236b20f90374b25226e9ba3
SHA512a3d65f0f9f65be3884a136726e3be5ac683fb316ba36967511c028363b334a55f2b2b412a2287b9501a9a16306547085bb135c23afd55ac1922ec5854f83832a
-
memory/412-349-0x000000001B850000-0x000000001B862000-memory.dmpFilesize
72KB
-
memory/412-229-0x000000001BF00000-0x000000001BF12000-memory.dmpFilesize
72KB
-
memory/1144-838-0x000000001BFF0000-0x000000001C002000-memory.dmpFilesize
72KB
-
memory/1144-823-0x000000001D7B0000-0x000000001D806000-memory.dmpFilesize
344KB
-
memory/1408-378-0x000000001B520000-0x000000001B532000-memory.dmpFilesize
72KB
-
memory/1448-953-0x000000001C3F0000-0x000000001C402000-memory.dmpFilesize
72KB
-
memory/1972-106-0x000000001BB60000-0x000000001BB72000-memory.dmpFilesize
72KB
-
memory/2076-393-0x0000000002F40000-0x0000000002F52000-memory.dmpFilesize
72KB
-
memory/2100-637-0x000000001D1F0000-0x000000001D202000-memory.dmpFilesize
72KB
-
memory/2176-75-0x000000001BE80000-0x000000001BE88000-memory.dmpFilesize
32KB
-
memory/2176-51-0x000000001B350000-0x000000001B362000-memory.dmpFilesize
72KB
-
memory/2176-70-0x000000001BE30000-0x000000001BE3E000-memory.dmpFilesize
56KB
-
memory/2176-72-0x000000001BE50000-0x000000001BE5E000-memory.dmpFilesize
56KB
-
memory/2176-71-0x000000001BE40000-0x000000001BE48000-memory.dmpFilesize
32KB
-
memory/2176-73-0x000000001BE60000-0x000000001BE68000-memory.dmpFilesize
32KB
-
memory/2176-74-0x000000001BE70000-0x000000001BE7C000-memory.dmpFilesize
48KB
-
memory/2176-41-0x00000000002D0000-0x0000000000638000-memory.dmpFilesize
3.4MB
-
memory/2176-76-0x000000001BF90000-0x000000001BF9A000-memory.dmpFilesize
40KB
-
memory/2176-67-0x000000001BE00000-0x000000001BE08000-memory.dmpFilesize
32KB
-
memory/2176-68-0x000000001BE10000-0x000000001BE1C000-memory.dmpFilesize
48KB
-
memory/2176-64-0x000000001BBD0000-0x000000001BBD8000-memory.dmpFilesize
32KB
-
memory/2176-65-0x000000001BBE0000-0x000000001BBEC000-memory.dmpFilesize
48KB
-
memory/2176-66-0x000000001BBF0000-0x000000001BBFC000-memory.dmpFilesize
48KB
-
memory/2176-63-0x000000001BBC0000-0x000000001BBCC000-memory.dmpFilesize
48KB
-
memory/2176-62-0x000000001C0F0000-0x000000001C618000-memory.dmpFilesize
5.2MB
-
memory/2176-61-0x000000001BB90000-0x000000001BBA2000-memory.dmpFilesize
72KB
-
memory/2176-60-0x000000001BB80000-0x000000001BB88000-memory.dmpFilesize
32KB
-
memory/2176-42-0x0000000002820000-0x000000000282E000-memory.dmpFilesize
56KB
-
memory/2176-59-0x000000001BB70000-0x000000001BB7C000-memory.dmpFilesize
48KB
-
memory/2176-58-0x000000001BB60000-0x000000001BB68000-memory.dmpFilesize
32KB
-
memory/2176-57-0x000000001BB50000-0x000000001BB5C000-memory.dmpFilesize
48KB
-
memory/2176-56-0x000000001BB00000-0x000000001BB56000-memory.dmpFilesize
344KB
-
memory/2176-55-0x000000001B3E0000-0x000000001B3EA000-memory.dmpFilesize
40KB
-
memory/2176-54-0x000000001B3D0000-0x000000001B3E0000-memory.dmpFilesize
64KB
-
memory/2176-53-0x000000001B3C0000-0x000000001B3C8000-memory.dmpFilesize
32KB
-
memory/2176-52-0x000000001B3B0000-0x000000001B3BC000-memory.dmpFilesize
48KB
-
memory/2176-69-0x000000001BE20000-0x000000001BE2A000-memory.dmpFilesize
40KB
-
memory/2176-43-0x000000001B1B0000-0x000000001B1BE000-memory.dmpFilesize
56KB
-
memory/2176-44-0x000000001B1C0000-0x000000001B1C8000-memory.dmpFilesize
32KB
-
memory/2176-46-0x000000001B360000-0x000000001B3B0000-memory.dmpFilesize
320KB
-
memory/2176-47-0x000000001B1F0000-0x000000001B1F8000-memory.dmpFilesize
32KB
-
memory/2176-50-0x000000001B340000-0x000000001B34C000-memory.dmpFilesize
48KB
-
memory/2176-45-0x000000001B1D0000-0x000000001B1EC000-memory.dmpFilesize
112KB
-
memory/2176-48-0x000000001B310000-0x000000001B320000-memory.dmpFilesize
64KB
-
memory/2176-49-0x000000001B320000-0x000000001B336000-memory.dmpFilesize
88KB
-
memory/2208-608-0x000000001C9F0000-0x000000001CA02000-memory.dmpFilesize
72KB
-
memory/2600-151-0x0000000002D20000-0x0000000002D32000-memory.dmpFilesize
72KB
-
memory/3556-1032-0x000000001CBB0000-0x000000001CC06000-memory.dmpFilesize
344KB
-
memory/3560-269-0x000000001B1E0000-0x000000001B1F2000-memory.dmpFilesize
72KB
-
memory/3756-931-0x000000001CDB0000-0x000000001CE06000-memory.dmpFilesize
344KB
-
memory/3876-451-0x000000001BD50000-0x000000001BD62000-memory.dmpFilesize
72KB
-
memory/3876-450-0x00000000033A0000-0x00000000033B2000-memory.dmpFilesize
72KB
-
memory/4080-0-0x00000000005E0000-0x0000000000A78000-memory.dmpFilesize
4.6MB
-
memory/4080-32-0x00007FFF91110000-0x00007FFF91BD2000-memory.dmpFilesize
10.8MB
-
memory/4080-2-0x000000001B7A0000-0x000000001B7B0000-memory.dmpFilesize
64KB
-
memory/4080-1-0x00007FFF91110000-0x00007FFF91BD2000-memory.dmpFilesize
10.8MB
-
memory/4160-793-0x000000001CDF0000-0x000000001CE02000-memory.dmpFilesize
72KB
-
memory/4360-333-0x000000001B830000-0x000000001B842000-memory.dmpFilesize
72KB
-
memory/4732-808-0x000000001D3F0000-0x000000001D402000-memory.dmpFilesize
72KB
-
memory/4736-867-0x000000001BFB0000-0x000000001C006000-memory.dmpFilesize
344KB
-
memory/4944-750-0x000000001D3F0000-0x000000001D402000-memory.dmpFilesize
72KB
-
memory/5548-975-0x000000001BDF0000-0x000000001BE02000-memory.dmpFilesize
72KB