dcrat | dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Size

4.9MB
MD5

a989323c5d31feee33f0e42f770ca92b
SHA1

22643f98a0cc659cf88354b9f530a585670782ad
SHA256

dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533
SHA512

f8127535a921d725b6cb08120d50c339a66a1f02414d168f41d7f81584e4e45864eab8f68ab45d550422ee198ad6dae185f9c9828259ed6b28c54d0690ecb592
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2752	schtasks.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2824-3-0x000000001B2E0000-0x000000001B40E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
792	powershell.exe
1612	powershell.exe
1884	powershell.exe
1984	powershell.exe
1760	powershell.exe
1404	powershell.exe
1596	powershell.exe
2524	powershell.exe
2364	powershell.exe
1028	powershell.exe
1888	powershell.exe
1600	powershell.exe

Executes dropped EXE 14 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
2428	csrss.exe
1484	csrss.exe
2588	csrss.exe
1108	csrss.exe
3040	csrss.exe
2604	csrss.exe
664	csrss.exe
1888	csrss.exe
2844	csrss.exe
2224	csrss.exe
2920	csrss.exe
3012	csrss.exe
1984	csrss.exe
1520	csrss.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2792	schtasks.exe
2576	schtasks.exe
2748	schtasks.exe
2676	schtasks.exe
2584	schtasks.exe
2688	schtasks.exe
536	schtasks.exe
2564	schtasks.exe
2672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
1600	powershell.exe
792	powershell.exe
1984	powershell.exe
1596	powershell.exe
1884	powershell.exe
2524	powershell.exe
2364	powershell.exe
1612	powershell.exe
1888	powershell.exe
1028	powershell.exe
1760	powershell.exe
1404	powershell.exe
2428	csrss.exe
1484	csrss.exe
2588	csrss.exe
1108	csrss.exe
3040	csrss.exe
2604	csrss.exe
664	csrss.exe
1888	csrss.exe
2844	csrss.exe
2224	csrss.exe
2920	csrss.exe
3012	csrss.exe
1984	csrss.exe
1520	csrss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2428	csrss.exe
Token: SeDebugPrivilege	1484	csrss.exe
Token: SeDebugPrivilege	2588	csrss.exe
Token: SeDebugPrivilege	1108	csrss.exe
Token: SeDebugPrivilege	3040	csrss.exe
Token: SeDebugPrivilege	2604	csrss.exe
Token: SeDebugPrivilege	664	csrss.exe
Token: SeDebugPrivilege	1888	csrss.exe
Token: SeDebugPrivilege	2844	csrss.exe
Token: SeDebugPrivilege	2224	csrss.exe
Token: SeDebugPrivilege	2920	csrss.exe
Token: SeDebugPrivilege	3012	csrss.exe
Token: SeDebugPrivilege	1984	csrss.exe
Token: SeDebugPrivilege	1520	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exe

description	pid	process	target process
PID 2824 wrote to memory of 1600	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1600	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1600	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1760	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1760	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1760	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1884	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1884	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1884	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1612	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1612	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1612	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1888	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1888	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1888	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1028	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1028	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1028	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 2364	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 2364	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 2364	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1984	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1984	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1984	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 2524	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 2524	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 2524	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 792	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 792	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 792	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1404	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1404	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1404	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1596	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1596	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 1596	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	powershell.exe
PID 2824 wrote to memory of 3004	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	cmd.exe
PID 2824 wrote to memory of 3004	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	cmd.exe
PID 2824 wrote to memory of 3004	2824	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe	cmd.exe
PID 3004 wrote to memory of 876	3004	cmd.exe	w32tm.exe
PID 3004 wrote to memory of 876	3004	cmd.exe	w32tm.exe
PID 3004 wrote to memory of 876	3004	cmd.exe	w32tm.exe
PID 3004 wrote to memory of 2428	3004	cmd.exe	csrss.exe
PID 3004 wrote to memory of 2428	3004	cmd.exe	csrss.exe
PID 3004 wrote to memory of 2428	3004	cmd.exe	csrss.exe
PID 2428 wrote to memory of 2584	2428	csrss.exe	WScript.exe
PID 2428 wrote to memory of 2584	2428	csrss.exe	WScript.exe
PID 2428 wrote to memory of 2584	2428	csrss.exe	WScript.exe
PID 2428 wrote to memory of 1196	2428	csrss.exe	WScript.exe
PID 2428 wrote to memory of 1196	2428	csrss.exe	WScript.exe
PID 2428 wrote to memory of 1196	2428	csrss.exe	WScript.exe
PID 2584 wrote to memory of 1484	2584	WScript.exe	csrss.exe
PID 2584 wrote to memory of 1484	2584	WScript.exe	csrss.exe
PID 2584 wrote to memory of 1484	2584	WScript.exe	csrss.exe
PID 1484 wrote to memory of 1652	1484	csrss.exe	WScript.exe
PID 1484 wrote to memory of 1652	1484	csrss.exe	WScript.exe
PID 1484 wrote to memory of 1652	1484	csrss.exe	WScript.exe
PID 1484 wrote to memory of 1732	1484	csrss.exe	WScript.exe
PID 1484 wrote to memory of 1732	1484	csrss.exe	WScript.exe
PID 1484 wrote to memory of 1732	1484	csrss.exe	WScript.exe
PID 1652 wrote to memory of 2588	1652	WScript.exe	csrss.exe
PID 1652 wrote to memory of 2588	1652	WScript.exe	csrss.exe
PID 1652 wrote to memory of 2588	1652	WScript.exe	csrss.exe
PID 2588 wrote to memory of 2136	2588	csrss.exe	WScript.exe

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe
"C:\Users\Admin\AppData\Local\Temp\dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1pqWF3ZRZL.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:876

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
"C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\005401e9-6d70-4557-80f0-676fbc69df5a.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98de0e2b-e865-491f-be37-314faac38470.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71e28c2e-3fce-4b62-bfa3-0ef0b0c2c0ea.vbs"
8⤵
PID:2136

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aea88946-6d02-4394-a58d-f0a0b4b8b42e.vbs"
10⤵
PID:872

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e828c0-9ad3-48b4-9fda-a527bb952a03.vbs"
12⤵
PID:2460

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef065700-451a-4253-b0b3-010cf6600d52.vbs"
14⤵
PID:2436

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:664

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e4c307a-868a-4b2c-a2d9-72a89832ea7f.vbs"
16⤵
PID:1872

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19572b89-4e5a-40e8-9c00-6630ae9f1890.vbs"
18⤵
PID:900

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b052c949-45c9-42dd-9433-40617d8bf66e.vbs"
20⤵
PID:2696

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2224

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dde6387-442f-43ee-b8a7-0f75b6c1b020.vbs"
22⤵
PID:1440

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11f6ab84-a0ff-49db-a432-2d9ef185f044.vbs"
24⤵
PID:840

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f37127c-af80-4250-94c0-0f2a1979123d.vbs"
26⤵
PID:1488

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed9c4a7c-6f56-4805-95d2-897859f33e98.vbs"
28⤵
PID:1512

C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b15d16c-f0f5-403a-a77d-3214d265906f.vbs"
30⤵
PID:2604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fae552e-4eb8-4a48-ab03-730f3f299a72.vbs"
30⤵
PID:496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c02dec0-e821-4e55-9a65-feb188fc2231.vbs"
28⤵
PID:2900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156aea7e-ef03-4080-b2e0-fd376bd3a9d5.vbs"
26⤵
PID:2356

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa26c1f0-7a6e-4169-a5c5-6cf97102b972.vbs"
24⤵
PID:792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7524ad23-2cb6-4e80-8826-6c84f1e3becc.vbs"
22⤵
PID:2472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87fe0cba-a57e-43e3-a668-60d09df9608c.vbs"
20⤵
PID:2608

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83003bd3-e105-402e-9180-6c7f4ab3c55a.vbs"
18⤵
PID:1612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\481a2791-eae2-4838-bd96-e5621d08a54f.vbs"
16⤵
PID:2504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aced674-3f0f-4fad-8636-cbe4631e18f0.vbs"
14⤵
PID:2188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1645269-16ad-4c43-9564-007f418e816a.vbs"
12⤵
PID:2988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d013b9d-b24a-4e3d-b31b-6563967b24fb.vbs"
10⤵
PID:2044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc74e3d-02da-45b2-aea8-ce6992d9ae49.vbs"
8⤵
PID:1996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcf0e5ca-f7e3-4122-8612-a84d3ff45697.vbs"
6⤵
PID:1732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac3a8973-27e0-4ba4-8a1d-bc04a73a7927.vbs"
4⤵
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\005401e9-6d70-4557-80f0-676fbc69df5a.vbs
Filesize
734B

MD5
54d9eef52bbb2954cd34b4178be8f1f5

SHA1
dd4e75854d9027957fa2aebfa994494a17697647

SHA256
198dc54f84500ad5f748841561ebfb2ac2c9392188fb7a84a0a18d8dfd5b4d85

SHA512
a3956b2a46a0871b3465746fc863a5e6addedfeea93f0236b03b8b1b3a0f26aabfe1b2a7b437fcaf195a4e719205f34a1815b09cb2679407f7fdc4ec5350b2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\11f6ab84-a0ff-49db-a432-2d9ef185f044.vbs
Filesize
734B

MD5
5667b58404ddc887675315f3e986e076

SHA1
0814d84d29f78f5752b691ce15be0663acce85b4

SHA256
4128464dc57a0311689a3fa51710b86a13a5a91d872845a58ffce140d403f8a2

SHA512
43ec9041124f6f1d9e869fac6c35928b7f3252c885363e3ff87bc7eaf6b4833bcfb8f6a9aa3aa083a48f4e7672bab121d806e4ba6b440cfd3ac6c1cc29835a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\19572b89-4e5a-40e8-9c00-6630ae9f1890.vbs
Filesize
734B

MD5
342d6ef184de53d73ee5e51a60c7fa26

SHA1
051cf97d49f04d0c1cc5db76c217841b1d55afde

SHA256
7cda9de37c9b7420b917e2eaca9f00a4ab0a2915400d92e7392389346e44cd99

SHA512
f373e7a472a424caac89dd0d0626a9c7296dcb1454abbf5618e0501b0668a07e30370ab10375a286427a0e0f713358371c7f3b46689b5c2ff414effb7ea4f570

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f37127c-af80-4250-94c0-0f2a1979123d.vbs
Filesize
734B

MD5
0ae505ad75449510ae32a056df4c4dcd

SHA1
41ee10287f611f0e383d74cf12352bfbc65e4b3c

SHA256
53a5434aa14cb5197972863fd40e5841db836edd283e388a703777338764d43c

SHA512
791aebd7b4c0ffb3f7e1ffbfe194e7bec4b0c508a50aa255e3d4ea35e48da2fa2a563207eb19f05411bdd2b8d9596000636e6c4064eea67ba9f043d70c539d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1pqWF3ZRZL.bat
Filesize
223B

MD5
5386b4b5fd4a5536afc10e53f0e204ed

SHA1
88ccbec1adf8b37f52e79175218119a494997cf5

SHA256
86aa0d5c501c63f90dc0e18f541a939cccd5f0356846f8e936ca2d9f74b73a08

SHA512
b80902804b79e9b6676956f63dde9f407f7e15bd288b0d2d8ef5e520feb80063a5e8b51f3044d0c71a30a0e356678aa25191cbb10bfb0b1b691fe9dd3ef36a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e4c307a-868a-4b2c-a2d9-72a89832ea7f.vbs
Filesize
733B

MD5
19b43149cbe190f4510a9ab344151de2

SHA1
906514f1a41f6fcabbfcad1043287f48a7d71cb6

SHA256
b3b0afa74fa37a793738868403ddd886c41fe6caa5b33c99fad59ae165fd261f

SHA512
53617370e92d74ebba995b505442695deb357d1c7dcb88a07af15077bdcd1ebe768315a0b877cc6b1087a5bfd79db8c4b601bb7a1c87dbf5ac65f1ded14d13a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\65e828c0-9ad3-48b4-9fda-a527bb952a03.vbs
Filesize
734B

MD5
cc43da9d1b1e723e57fcbd119c6d2dd9

SHA1
bac40bf0ee599eb5d25018d0851f1beb1b4b4c1f

SHA256
09f6ce2991d6177c40411eb517d9ab195c42fdd7f63c2d603364b0d289e2c98a

SHA512
6e10ae7ba3ac267d978e1e46fe288f149d416dbb575684a818d873a0654b40696df69c13863efc2b3ea049c212bc0fe8e5bf8dd59aee38bc1b5a6366e20579cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\71e28c2e-3fce-4b62-bfa3-0ef0b0c2c0ea.vbs
Filesize
734B

MD5
c873a5ab7578d2813abb551e6752a389

SHA1
54bccd7dcca21c61ea317bacde5d1d92004613aa

SHA256
3eefb06ad792f53ff93f7ecedce9f2409190739b9e5f55aa801608129663ae3b

SHA512
9dffbfaaa45b15f47356f3eb779c5a5c470f50da93342f2cad0768d9f6c5fd0610d30336863bd8b27b773257060856c55c7fc3a1eb52890d47847860b44e5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dde6387-442f-43ee-b8a7-0f75b6c1b020.vbs
Filesize
734B

MD5
f7f698aa42447094a705d63f9ef350e4

SHA1
524c8bf4c7385323bce3bcdf592f7b860e31ad72

SHA256
703d1597d0d2ec3eb3e88b98d9b492f5c0200f899e047547ffba6efa47799462

SHA512
c6d36098a8a5b04d6335c5caebb4bb6e574f4e7201462194c244b26d9c40c7ca62c931a5813b7040fd4158575ceea1e6e2f45e65607d32594d9b34b31f7772c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\98de0e2b-e865-491f-be37-314faac38470.vbs
Filesize
734B

MD5
f8b79cdec1b6d5c84996debc10a12985

SHA1
8cfa84113c5cd53f90fc4a3b01ab83739983a120

SHA256
90d82e1d176a2d89504c2b1c21ad0d4cd161f949fa3aacbd435714d29d7623f2

SHA512
da0567924642584fa3c1f503a6da56bdc90d550f0e212cfad9dff9f14ec4ebdf77fc7949defaf6f4c8b101c5bc42f88353bd24b312ca138ea0f6440fc62a1080

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac3a8973-27e0-4ba4-8a1d-bc04a73a7927.vbs
Filesize
510B

MD5
c669c97cdad6b1d111abd49c70bdffba

SHA1
3ffa3c8b796257bb418ebdae49245e1e20165840

SHA256
03570eb84cd5129170607d2ca5f54cb02cf661e86d67f3ef63133dfaf09334b3

SHA512
349c393532e6fdb3f708e1dbeeb374b02a7f0bd1bfc445fa6c0d53b4d734f38592de438c07ec4daf41f6168eac973fe26bf66cac9ee68f9973a913be73cf1353

Download Submit
C:\Users\Admin\AppData\Local\Temp\aea88946-6d02-4394-a58d-f0a0b4b8b42e.vbs
Filesize
734B

MD5
e38a099dec2f9016d017bdf274858696

SHA1
576334cdb0fb69906b1865420a0414341310cd35

SHA256
f69035a5018787a8e057cbb64bff75a06b93de3a855b3ad865708fcc1e01bf75

SHA512
5ecc9b58f0ed484e357949d5d33bb8850c3318b1a7570463b8f90c627b59da39a7e3b1ae6c770a8ce358e6a59a855c8fc1ef148b3497e53908fea73a9f0c44ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\b052c949-45c9-42dd-9433-40617d8bf66e.vbs
Filesize
734B

MD5
bd3684b80f64d9a5d0153e1600edb75e

SHA1
07d99e07a2e33baf82b84aae34bf7380fc61ad56

SHA256
2a78bd3fd214881bca25afa43648d6ed7fd5798cac1f0a40b8dffe16d18e524b

SHA512
d7b2ee8627e189c286be5b0e83e91ad0f611a81baa702c39e712c4fba9d08a224d8a013c803d7f74232cb33cd30e8084c85883b199ec5b654b934233509b70bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed9c4a7c-6f56-4805-95d2-897859f33e98.vbs
Filesize
734B

MD5
245ebe9dfea025ef594d4b84cab7faa1

SHA1
e8c84d1365a22a2e5ded4b664839e008f456e865

SHA256
3c589cda31813f0f67efd373bd3d3df60ce44ae2524976e6a2b44be301c8a847

SHA512
78fd7cfc74613427b1c176af3bf64ee4daa98976cda78f96a763ea8997af093291054f258ecc64e12e37ba38a382fb1424ef9f415e4566c5953ae68220cf6aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef065700-451a-4253-b0b3-010cf6600d52.vbs
Filesize
734B

MD5
c0a74933163672e20ace7c0e5d699169

SHA1
1e50829bb196132d160bcb6678711e41119bf3e2

SHA256
277a5720f7167e1aa3640aeafb07e38597808db8ca81ee98c90dcebe47f9a89f

SHA512
c588b2b56b3c97fe56dc1b8f8031503d6ac780c5d33a6e78a6e8575587b7d3460f84bdefba5a27bba7f454f2e107ddc3719eded42d19474f69bde16708b8e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE53.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3990e911e0788b6cd68c018c9edf55c6

SHA1
4a186ea0e60034987c79e559f44ae4cc711efadc

SHA256
6a6e39188e28d3d6ebce64d9e809e644838e8b51f920aca8a6f9abf051c03e33

SHA512
70c5aca315b541e0c312139c80b911b100fdb3022fb3a2f57b5bf8c312f00772ba3c5dc80ea75884a361db37636888e549b509756db27d7db9d79e092a5b527e

Download Submit
C:\Users\Public\Favorites\audiodg.exe
Filesize
4.9MB

MD5
a989323c5d31feee33f0e42f770ca92b

SHA1
22643f98a0cc659cf88354b9f530a585670782ad

SHA256
dd0cd29f30ec294c1f9be803ff516c7f112d98d99ea3e4c5219c5640f4bbe533

SHA512
f8127535a921d725b6cb08120d50c339a66a1f02414d168f41d7f81584e4e45864eab8f68ab45d550422ee198ad6dae185f9c9828259ed6b28c54d0690ecb592

Download Submit
memory/664-207-0x0000000000EB0000-0x00000000013A4000-memory.dmp

Filesize
5.0MB

Download
memory/1108-162-0x0000000001360000-0x0000000001854000-memory.dmp

Filesize
5.0MB

Download
memory/1484-131-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/1484-130-0x0000000000E90000-0x0000000001384000-memory.dmp

Filesize
5.0MB

Download
memory/1520-311-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download
memory/1600-60-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1600-57-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1888-223-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/1888-222-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/2224-253-0x0000000000E80000-0x0000000001374000-memory.dmp

Filesize
5.0MB

Download
memory/2428-116-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download
memory/2588-146-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/2588-147-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2604-192-0x0000000000DE0000-0x00000000012D4000-memory.dmp

Filesize
5.0MB

Download
memory/2824-10-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/2824-6-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/2824-16-0x0000000002730000-0x000000000273C000-memory.dmp

Filesize
48KB

Download
memory/2824-58-0x000007FEF6790000-0x000007FEF717C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-9-0x00000000025C0000-0x00000000025CA000-memory.dmp

Filesize
40KB

Download
memory/2824-12-0x0000000002670000-0x000000000267E000-memory.dmp

Filesize
56KB

Download
memory/2824-8-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2824-0-0x000007FEF6793000-0x000007FEF6794000-memory.dmp

Filesize
4KB

Download
memory/2824-7-0x0000000002590000-0x00000000025A6000-memory.dmp

Filesize
88KB

Download
memory/2824-13-0x0000000002680000-0x000000000268E000-memory.dmp

Filesize
56KB

Download
memory/2824-14-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2824-11-0x0000000002660000-0x000000000266A000-memory.dmp

Filesize
40KB

Download
memory/2824-1-0x0000000000290000-0x0000000000784000-memory.dmp

Filesize
5.0MB

Download
memory/2824-5-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/2824-15-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2824-4-0x00000000023E0000-0x00000000023FC000-memory.dmp

Filesize
112KB

Download
memory/2824-2-0x000007FEF6790000-0x000007FEF717C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-3-0x000000001B2E0000-0x000000001B40E000-memory.dmp

Filesize
1.2MB

Download
memory/2844-238-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download
memory/2920-268-0x00000000012A0000-0x0000000001794000-memory.dmp

Filesize
5.0MB

Download
memory/3040-177-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download