dcrat | 3e5c92ebdbc350c5d12d8a684ae957f570f9fed8c4099415f1d9206c910886a5

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Size

1.9MB
MD5

54089b721bddf319a3f62f8df5b18033
SHA1

730c65bf2c9321979125dc562b5af6b4a6204c04
SHA256

3e5c92ebdbc350c5d12d8a684ae957f570f9fed8c4099415f1d9206c910886a5
SHA512

1aee4a16c043db5a6b6e4fb69a014b55f849027b1ea78b716baf27413671945fbc8d6b76eb15ac9c5e066b6a12c965d4420ee4f0036e602c8543301cd4d27981
SSDEEP

49152:fl+hxVRHd6M7ArX7Hc0jd7DohfJnLB5P3:fohxVR8EATxDqfJnzf

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2568	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2568	schtasks.exe	28

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2812-1-0x0000000000030000-0x0000000000218000-memory.dmp	dcrat
behavioral1/files/0x0006000000016283-32.dat	dcrat
behavioral1/memory/2272-222-0x0000000000C90000-0x0000000000E78000-memory.dmp	dcrat
behavioral1/files/0x0007000000019368-247.dat	dcrat
behavioral1/memory/1724-255-0x00000000003C0000-0x00000000005A8000-memory.dmp	dcrat
behavioral1/memory/1968-267-0x0000000000FF0000-0x00000000011D8000-memory.dmp	dcrat
behavioral1/memory/2340-279-0x0000000001170000-0x0000000001358000-memory.dmp	dcrat
behavioral1/memory/1840-291-0x0000000001210000-0x00000000013F8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1312	powershell.exe
1748	powershell.exe
1184	powershell.exe
2416	powershell.exe
2944	powershell.exe
2096	powershell.exe
2316	powershell.exe
1660	powershell.exe
2616	powershell.exe
528	powershell.exe
1308	powershell.exe
112	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2272	audiodg.exe
2516	audiodg.exe
2652	audiodg.exe
1724	audiodg.exe
1968	audiodg.exe
2340	audiodg.exe
1840	audiodg.exe
2596	audiodg.exe
764	audiodg.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\de-DE\56085415360792	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\taskhost.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX9A8F.tmp	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\b75386f1303e64	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXA916.tmp	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\RCXAD3C.tmp	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\lsm.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB163.tmp	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\csrss.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\lsm.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\101b941d020240	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\taskhost.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\lsass.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\6203df4a6bafc7	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX9EB5.tmp	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\lsass.exe	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
908	schtasks.exe
2552	schtasks.exe
536	schtasks.exe
1756	schtasks.exe
1100	schtasks.exe
836	schtasks.exe
1924	schtasks.exe
324	schtasks.exe
576	schtasks.exe
1348	schtasks.exe
1936	schtasks.exe
2280	schtasks.exe
1980	schtasks.exe
2504	schtasks.exe
2312	schtasks.exe
1916	schtasks.exe
2656	schtasks.exe
1852	schtasks.exe
2396	schtasks.exe
1632	schtasks.exe
1972	schtasks.exe
2320	schtasks.exe
1844	schtasks.exe
2872	schtasks.exe
1540	schtasks.exe
2372	schtasks.exe
572	schtasks.exe
1156	schtasks.exe
2140	schtasks.exe
2592	schtasks.exe
2908	schtasks.exe
2616	schtasks.exe
2776	schtasks.exe
552	schtasks.exe
1920	schtasks.exe
2288	schtasks.exe
2160	schtasks.exe
2112	schtasks.exe
1276	schtasks.exe
1208	schtasks.exe
2988	schtasks.exe
1664	schtasks.exe
2788	schtasks.exe
2156	schtasks.exe
2120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
528	powershell.exe
1660	powershell.exe
2316	powershell.exe
2616	powershell.exe
2096	powershell.exe
1308	powershell.exe
2944	powershell.exe
112	powershell.exe
1312	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2272	audiodg.exe
Token: SeDebugPrivilege	2516	audiodg.exe
Token: SeDebugPrivilege	2652	audiodg.exe
Token: SeDebugPrivilege	1724	audiodg.exe
Token: SeDebugPrivilege	1968	audiodg.exe
Token: SeDebugPrivilege	2340	audiodg.exe
Token: SeDebugPrivilege	1840	audiodg.exe
Token: SeDebugPrivilege	2596	audiodg.exe
Token: SeDebugPrivilege	764	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2616	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	74
PID 2812 wrote to memory of 2616	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	74
PID 2812 wrote to memory of 2616	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	74
PID 2812 wrote to memory of 2944	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	75
PID 2812 wrote to memory of 2944	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	75
PID 2812 wrote to memory of 2944	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	75
PID 2812 wrote to memory of 2096	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	76
PID 2812 wrote to memory of 2096	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	76
PID 2812 wrote to memory of 2096	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	76
PID 2812 wrote to memory of 528	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	77
PID 2812 wrote to memory of 528	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	77
PID 2812 wrote to memory of 528	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	77
PID 2812 wrote to memory of 2316	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	78
PID 2812 wrote to memory of 2316	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	78
PID 2812 wrote to memory of 2316	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	78
PID 2812 wrote to memory of 1660	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	79
PID 2812 wrote to memory of 1660	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	79
PID 2812 wrote to memory of 1660	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	79
PID 2812 wrote to memory of 1312	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	80
PID 2812 wrote to memory of 1312	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	80
PID 2812 wrote to memory of 1312	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	80
PID 2812 wrote to memory of 1748	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	81
PID 2812 wrote to memory of 1748	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	81
PID 2812 wrote to memory of 1748	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	81
PID 2812 wrote to memory of 1184	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	82
PID 2812 wrote to memory of 1184	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	82
PID 2812 wrote to memory of 1184	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	82
PID 2812 wrote to memory of 2416	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	83
PID 2812 wrote to memory of 2416	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	83
PID 2812 wrote to memory of 2416	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	83
PID 2812 wrote to memory of 1308	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	84
PID 2812 wrote to memory of 1308	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	84
PID 2812 wrote to memory of 1308	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	84
PID 2812 wrote to memory of 112	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	85
PID 2812 wrote to memory of 112	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	85
PID 2812 wrote to memory of 112	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	85
PID 2812 wrote to memory of 2428	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	98
PID 2812 wrote to memory of 2428	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	98
PID 2812 wrote to memory of 2428	2812	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe	98
PID 2428 wrote to memory of 2788	2428	cmd.exe	100
PID 2428 wrote to memory of 2788	2428	cmd.exe	100
PID 2428 wrote to memory of 2788	2428	cmd.exe	100
PID 2428 wrote to memory of 2272	2428	cmd.exe	101
PID 2428 wrote to memory of 2272	2428	cmd.exe	101
PID 2428 wrote to memory of 2272	2428	cmd.exe	101
PID 2272 wrote to memory of 2608	2272	audiodg.exe	104
PID 2272 wrote to memory of 2608	2272	audiodg.exe	104
PID 2272 wrote to memory of 2608	2272	audiodg.exe	104
PID 2272 wrote to memory of 2536	2272	audiodg.exe	105
PID 2272 wrote to memory of 2536	2272	audiodg.exe	105
PID 2272 wrote to memory of 2536	2272	audiodg.exe	105
PID 2608 wrote to memory of 2516	2608	WScript.exe	106
PID 2608 wrote to memory of 2516	2608	WScript.exe	106
PID 2608 wrote to memory of 2516	2608	WScript.exe	106
PID 2516 wrote to memory of 2020	2516	audiodg.exe	107
PID 2516 wrote to memory of 2020	2516	audiodg.exe	107
PID 2516 wrote to memory of 2020	2516	audiodg.exe	107
PID 2516 wrote to memory of 2084	2516	audiodg.exe	108
PID 2516 wrote to memory of 2084	2516	audiodg.exe	108
PID 2516 wrote to memory of 2084	2516	audiodg.exe	108
PID 2020 wrote to memory of 2652	2020	WScript.exe	109
PID 2020 wrote to memory of 2652	2020	WScript.exe	109
PID 2020 wrote to memory of 2652	2020	WScript.exe	109
PID 2652 wrote to memory of 940	2652	audiodg.exe	110

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54089b721bddf319a3f62f8df5b18033_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UUEEYnIMt0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2788
- - C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
    "C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2272
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\952bab68-a9b9-4ef3-9ec6-ec20df9c0e6d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77655c12-880d-47f6-bdd3-5124a22e65b5.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc56c317-5f2e-47a1-a583-c8503cd8e0cf.vbs"
        8⤵
        
        PID:940
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d29ca871-f65c-4473-ae36-b72a5271ea42.vbs"
        10⤵
        
        PID:908
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72ba8c9e-0cf8-44a7-8624-0466470058a3.vbs"
        12⤵
        
        PID:2932
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6113076c-d779-4205-9b57-2db688d24835.vbs"
        14⤵
        
        PID:1292
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ea355d-e38e-4995-9e7d-f7621857673d.vbs"
        16⤵
        
        PID:2284
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5949801-f63d-4529-95d1-eec88674c126.vbs"
        18⤵
        
        PID:2580
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        
        C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a33b7db1-439d-4d45-b918-26e0e2384e24.vbs"
        20⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7562219e-424e-406a-85a0-2f2bddcb37e6.vbs"
        20⤵
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\587dc622-846c-4347-843b-a0723fdfa988.vbs"
        18⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05cac44e-125d-4878-a120-966c1fdb68a8.vbs"
        16⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98bc2ea0-9479-46e4-ac77-8821de0cd7ee.vbs"
        14⤵
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3721e3f2-5893-4637-b3f3-c90298c47a64.vbs"
        12⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3aaece5-3995-415a-90e3-c8f74341adab.vbs"
        10⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f10c4ec3-b143-41d1-b22a-079ab79d6d39.vbs"
        8⤵
        
        PID:2332
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\019ae898-fdff-4470-8c75-617a68fd8586.vbs"
        6⤵
        
        PID:2084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a2eca84-e040-4825-b068-0f400af1c275.vbs"
      4⤵
      PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Solitaire\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Solitaire\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe

Filesize
1.9MB

MD5
54089b721bddf319a3f62f8df5b18033

SHA1
730c65bf2c9321979125dc562b5af6b4a6204c04

SHA256
3e5c92ebdbc350c5d12d8a684ae957f570f9fed8c4099415f1d9206c910886a5

SHA512
1aee4a16c043db5a6b6e4fb69a014b55f849027b1ea78b716baf27413671945fbc8d6b76eb15ac9c5e066b6a12c965d4420ee4f0036e602c8543301cd4d27981

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a2eca84-e040-4825-b068-0f400af1c275.vbs

Filesize
512B

MD5
e95362d30b9fec0f6546adf2175def80

SHA1
cfc6f6d5a0db8e35eb5e35612db49359cb82fe75

SHA256
a50d45f5585c192a92dd637248177677ceac9691865d495aa922be63f5638784

SHA512
325bfa115dc6f8b3181eba46e63e22eb603363a5aed0ad2eadf4e5961a62a9141a2ae075ac33532f847e0f553ef530516ca3aa3f8bdf83adb1ab11ed55c9c92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6113076c-d779-4205-9b57-2db688d24835.vbs

Filesize
736B

MD5
9f8ec656cc522649ba8b56a6d47afc48

SHA1
a625297bd8f043170f7e454e4c0f02bff165e66f

SHA256
e8e4f6cefaa2f297ce0d6d3249452fbc4c936ca870921210d1f00540b2cb6bf8

SHA512
ae3a2b626db850a51cd7aa0ce297b860073bd7216a21c97c084b0f76a4e9b7db31cdb487e3f14665aa4b808b43d8121f8ece00e27ce3afbb9a54182ba9d30d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\72ba8c9e-0cf8-44a7-8624-0466470058a3.vbs

Filesize
736B

MD5
619b4bb73a7e35d195ef458a57afa059

SHA1
a5985233e34195384cc7e4bea8c939af987dcd4c

SHA256
888f2d363d93b4143065f84302c8e8f2c9591c9807f628a868529ef640696fc3

SHA512
e90679c82ee3e60b6de7fb396d39dab72c5fc10b44470484e4cb9c408d3217b382a3c782b170ba5a269782e8a340d2ec6af2bf62dd6ce12377fbff15c8d9dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\77655c12-880d-47f6-bdd3-5124a22e65b5.vbs

Filesize
736B

MD5
6af468a0f28dbd9834816d0bd33a736b

SHA1
163b4b55c6cb5e0f0ee86c46efa9c81866358103

SHA256
b173bdd5859d5925368dad9aa4902ba5868a7cef2833c8c98ed1eba8a532e095

SHA512
2839355df012e8240ccb5462c83a4e7904794f26b3bc56ff3b6583882dab2196985e6ac65b22a4b599d3c6e5eee5cbb21fad482deb7f2318e9c4cb53c6539065

Download Submit
C:\Users\Admin\AppData\Local\Temp\952bab68-a9b9-4ef3-9ec6-ec20df9c0e6d.vbs

Filesize
736B

MD5
60514db169f84b5653d4e2ef57966500

SHA1
2b51dc2a49eb01baf98559de60eeabe0f54f410e

SHA256
3447c0afdb87a90ccfed9cc420c54fd900d1ac855c0947e4b718edba2e7d1868

SHA512
99d19d8d182ff45285f32c9c319407d518f43b56cc51010227c0eb21a5a1befdfa6fb6503e248987f471f8a7624b444281b2116e126f89ef2078b2991a7c887c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUEEYnIMt0.bat

Filesize
225B

MD5
0fc90920b24bb14b6abd1ea6e4959056

SHA1
8172599fad8a9e0437c2badb2d90bb25c57ba328

SHA256
96eb48e4e5f41d52261ee5c64cce2d98f1ce4fe3637932cd81af5244100b6637

SHA512
4b8b1fc7a95e8e13c421e95bd132321b864302dc72023e22aeed97a69c09651ea4aa94cd922effc7a0742fb435928b46656d3ba57c2c840396ce36dae4a2a775

Download Submit
C:\Users\Admin\AppData\Local\Temp\a33b7db1-439d-4d45-b918-26e0e2384e24.vbs

Filesize
735B

MD5
4f714c56da2f322e9f892e281718a1c1

SHA1
2c857212a177b1971be1ef461dfb82f94d30e827

SHA256
f20cbe645136a7b9cac8ed31da88437abc8ce6d7993710ce37eeaed09f99ae1b

SHA512
0118b51e4ae2c244be3ce8f34d14ddcdd8a598745ce253a11ee98cae6b65911e6d74600b152fa3dd743f3d1eec6a86850e7bbc55cc0a7ff5b8443f9e5f8f602b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d29ca871-f65c-4473-ae36-b72a5271ea42.vbs

Filesize
736B

MD5
ad23f6f41004ae33d7d5dc6a1bf563de

SHA1
11fcbf3f1d8d8acceb36c350574d3fbb55a79155

SHA256
9fc397a94cdc1380357de81fbc5068c17ded353e8d9cbf120d2293d19937174d

SHA512
d03c9fa728f6b295cb1b783e7cbeba177bdce457a001a22a4908f74a866c6fc05bc5068527cc6aa636afd82098520c6d5484d10a427bdf847eeeb119e92f37ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\e24e9823b8ce45830498d04813efde08e1bdaeb8.exe

Filesize
1.9MB

MD5
7993dadf77c4f4002f08d29f73194f0c

SHA1
a71d46bff30babee356f13645850856d8ecb143f

SHA256
eb99fdf9588f82c5e8c560ed13fbb0b035cbc433574f6c3acd7bb297977d8059

SHA512
23bcc3131714b376cd09859df9bd25881b78ba06855a1c8f1533503d061dad14121923a43adfe7aa67a265541ceb2731a75b47631c58f7b6b0e908018d52106d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2ea355d-e38e-4995-9e7d-f7621857673d.vbs

Filesize
736B

MD5
81b9ceac97b8ed5187c3f9becd91d876

SHA1
d657662def64bd0cb9f73cfec54dc2c578a14e1b

SHA256
77fbc55c78f6777bd9c38c63d3d73957e6320b36a0849b46d987900cae1b6a55

SHA512
1efebc441b35d31a00157cee6041889c02ee826e5831f788abc31d73e5e1540c50fcc33f4ea0de49bfe640d6d523185ce768b1be76949bcd374afb30d6635ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5949801-f63d-4529-95d1-eec88674c126.vbs

Filesize
736B

MD5
8906b037eb515edbb8bdb1e80a9689fb

SHA1
041b238549086cc953344cee76eb262955b84ef8

SHA256
d702250fa1bb410686c9a1bee75031028ede6b473f4a09fa9a8f7bffd9e4d271

SHA512
48a753c3466041617d58c80314224d6d906ffe9b95c79036e92b37df34568f9a6d0f5f87cfd8716e457e7dfe9c5f74e605f90427d26a8487014797c724629f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc56c317-5f2e-47a1-a583-c8503cd8e0cf.vbs

Filesize
736B

MD5
cfe858e6bc3fd54c895e2beb5071b428

SHA1
9d67d23e5926a2f767db05c6ac9a7863277333a2

SHA256
e4e0ce439350101e01c07f81ad722d9603053d36dc0f874d90eca362ce00e1e1

SHA512
e0be3267339c44877d3d218b152980f6903817373e0900b9abd513badb4c44d82b9d9691925cdd4429733376a2a1626317ad51429cc60491bd79af0cc9fa2e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e1bfbee5c64af808632f8157b916057

SHA1
0f2973816e6c41d098b122b240ba2590aa13da15

SHA256
5890127dac68645bb61c1299f0e12e34f5bf368c48edfba2e8ad9559e939c5ac

SHA512
96cc90a30a1c087af4e24a38c0d57fd8900dfcef5d9546551917eabb1da4632cab4d502f9d9272e9b9ec9d46a5f77c49b143fa16a5b5ab61de0d297ce121a86e

Download Submit
memory/528-196-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1308-194-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/1724-255-0x00000000003C0000-0x00000000005A8000-memory.dmp

Filesize
1.9MB

Download
memory/1840-291-0x0000000001210000-0x00000000013F8000-memory.dmp

Filesize
1.9MB

Download
memory/1968-267-0x0000000000FF0000-0x00000000011D8000-memory.dmp

Filesize
1.9MB

Download
memory/2272-222-0x0000000000C90000-0x0000000000E78000-memory.dmp

Filesize
1.9MB

Download
memory/2340-279-0x0000000001170000-0x0000000001358000-memory.dmp

Filesize
1.9MB

Download
memory/2812-11-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/2812-12-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2812-25-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-21-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-19-0x0000000002100000-0x0000000002108000-memory.dmp

Filesize
32KB

Download
memory/2812-20-0x0000000002110000-0x000000000211A000-memory.dmp

Filesize
40KB

Download
memory/2812-18-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/2812-197-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-17-0x00000000020E0000-0x00000000020EE000-memory.dmp

Filesize
56KB

Download
memory/2812-14-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/2812-16-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2812-15-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/2812-13-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2812-22-0x0000000002120000-0x000000000212C000-memory.dmp

Filesize
48KB

Download
memory/2812-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/2812-10-0x0000000000640000-0x000000000064A000-memory.dmp

Filesize
40KB

Download
memory/2812-8-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2812-9-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2812-6-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2812-7-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2812-5-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2812-4-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2812-3-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2812-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-1-0x0000000000030000-0x0000000000218000-memory.dmp

Filesize
1.9MB

Download