Analysis
-
max time kernel
1800s -
max time network
1796s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 18:20
Static task
static1
General
-
Target
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
-
Size
4.9MB
-
MD5
5a9fb15e8fc1d8162c861ca1544f38f0
-
SHA1
a7606e286eb27a1a5e95693c594de5c65c5d7aa1
-
SHA256
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a
-
SHA512
a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2644 schtasks.exe -
Processes:
audiodg.exeIdle.execsrss.exewininit.exewininit.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exesmss.exewininit.exeaudiodg.exeaudiodg.exewininit.exeaudiodg.exeaudiodg.execsrss.execsrss.exesmss.exeaudiodg.exeaudiodg.exesmss.exelsass.exeaudiodg.exesmss.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exesmss.exeaudiodg.exeaudiodg.exeaudiodg.exesmss.exeaudiodg.exeaudiodg.exewininit.exewininit.exeIdle.exeaudiodg.exeaudiodg.exeaudiodg.exewininit.exeaudiodg.execsrss.execsrss.exeaudiodg.exeaudiodg.exeIdle.execsrss.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe -
Processes:
resource yara_rule behavioral1/memory/1972-3-0x000000001B430000-0x000000001B55E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2668 powershell.exe 1304 powershell.exe 600 powershell.exe 1352 powershell.exe 1652 powershell.exe 1996 powershell.exe 2344 powershell.exe 2320 powershell.exe 784 powershell.exe 1644 powershell.exe 1964 powershell.exe 860 powershell.exe -
Executes dropped EXE 64 IoCs
Processes:
audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exewininit.exeaudiodg.exeaudiodg.exeaudiodg.exelsass.exeaudiodg.exelsass.exeIdle.exespoolsv.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeSystem.exeaudiodg.exelsm.exeIdle.exewininit.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exelsass.exeb8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.execsrss.exesmss.exeexplorer.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 2816 audiodg.exe 2444 audiodg.exe 1264 audiodg.exe 2440 audiodg.exe 2852 audiodg.exe 1940 audiodg.exe 1064 audiodg.exe 2532 audiodg.exe 884 audiodg.exe 1108 audiodg.exe 1612 audiodg.exe 2512 audiodg.exe 572 audiodg.exe 2252 audiodg.exe 1848 audiodg.exe 2148 audiodg.exe 2880 audiodg.exe 1740 audiodg.exe 1756 audiodg.exe 1508 audiodg.exe 2960 audiodg.exe 1032 audiodg.exe 2340 audiodg.exe 1400 audiodg.exe 544 wininit.exe 2668 audiodg.exe 2812 audiodg.exe 2076 audiodg.exe 2572 lsass.exe 2404 audiodg.exe 2708 lsass.exe 2472 Idle.exe 2076 spoolsv.exe 2844 Idle.exe 2384 Idle.exe 644 Idle.exe 1708 Idle.exe 1432 Idle.exe 1652 System.exe 932 audiodg.exe 2656 lsm.exe 2536 Idle.exe 2444 wininit.exe 2380 csrss.exe 2960 csrss.exe 2644 csrss.exe 2924 csrss.exe 1356 csrss.exe 2028 csrss.exe 2024 csrss.exe 2312 csrss.exe 924 csrss.exe 2940 csrss.exe 3000 csrss.exe 884 lsass.exe 480 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe 2692 csrss.exe 2036 smss.exe 2296 explorer.exe 2088 smss.exe 1764 smss.exe 1904 smss.exe 1740 smss.exe 2992 smss.exe -
Processes:
audiodg.exeaudiodg.exewininit.exeaudiodg.exeaudiodg.exewininit.exesmss.exesmss.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.execsrss.exesmss.exeaudiodg.exewininit.exeaudiodg.exeb8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.execsrss.exeaudiodg.exeaudiodg.exeaudiodg.exeIdle.exesmss.exeaudiodg.exesmss.exeaudiodg.exesmss.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.execsrss.execsrss.exewininit.exeaudiodg.exesmss.exeIdle.exeIdle.exeIdle.exesmss.exeaudiodg.exewininit.exeaudiodg.exewininit.exeaudiodg.exeaudiodg.execsrss.execsrss.exeaudiodg.exesmss.exewininit.exesmss.exeaudiodg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe -
Drops file in Program Files directory 28 IoCs
Processes:
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\features\42af1c969fbb7b b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Windows Mail\System.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Windows Mail\System.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Reference Assemblies\csrss.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Windows Media Player\Media Renderer\56085415360792 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Windows Mail\RCX61E4.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Reference Assemblies\RCX6B3A.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Reference Assemblies\csrss.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCX73C6.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\69ddcba757bf72 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Windows Mail\27d1bcfc3c54e0 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Java\jre7\lib\ext\f3b6ecef712a24 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX6658.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\spoolsv.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RCX7637.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\wininit.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Windows Media Player\Media Renderer\wininit.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\RCX5DDB.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Reference Assemblies\886983d96e3d3e b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files\Java\jre7\lib\ext\spoolsv.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\RCX6FBF.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe -
Drops file in Windows directory 13 IoCs
Processes:
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exedescription ioc process File opened for modification C:\Windows\addins\RCX71C3.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Windows\LiveKernelReports\7a0fd90576e088 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Windows\addins\6b21b2042cab95 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Windows\rescache\rc0004\WmiPrvSE.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Windows\LiveKernelReports\RCX5B5A.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Windows\Tasks\lsm.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Windows\Tasks\RCX68C9.tmp b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Windows\LiveKernelReports\explorer.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File opened for modification C:\Windows\LiveKernelReports\explorer.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Windows\Tasks\lsm.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Windows\Tasks\101b941d020240 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe File created C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2216 schtasks.exe 1008 schtasks.exe 2536 schtasks.exe 1944 schtasks.exe 2180 schtasks.exe 2196 schtasks.exe 2428 schtasks.exe 2160 schtasks.exe 2812 schtasks.exe 2676 schtasks.exe 2060 schtasks.exe 3016 schtasks.exe 616 schtasks.exe 2044 schtasks.exe 2276 schtasks.exe 2896 schtasks.exe 3036 schtasks.exe 912 schtasks.exe 1856 schtasks.exe 2980 schtasks.exe 2332 schtasks.exe 2296 schtasks.exe 1780 schtasks.exe 1088 schtasks.exe 108 schtasks.exe 780 schtasks.exe 2168 schtasks.exe 532 schtasks.exe 3056 schtasks.exe 1028 schtasks.exe 2816 schtasks.exe 2972 schtasks.exe 2472 schtasks.exe 592 schtasks.exe 1828 schtasks.exe 2144 schtasks.exe 1288 schtasks.exe 1936 schtasks.exe 1428 schtasks.exe 2728 schtasks.exe 2572 schtasks.exe 2164 schtasks.exe 2444 schtasks.exe 2220 schtasks.exe 2208 schtasks.exe 1560 schtasks.exe 336 schtasks.exe 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exelsass.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe 860 powershell.exe 2668 powershell.exe 600 powershell.exe 1996 powershell.exe 1964 powershell.exe 1652 powershell.exe 1644 powershell.exe 1304 powershell.exe 1352 powershell.exe 784 powershell.exe 2320 powershell.exe 2344 powershell.exe 2816 audiodg.exe 2444 audiodg.exe 2440 audiodg.exe 2852 audiodg.exe 1940 audiodg.exe 1064 audiodg.exe 2532 audiodg.exe 884 audiodg.exe 1108 audiodg.exe 1612 audiodg.exe 2512 audiodg.exe 572 audiodg.exe 2252 audiodg.exe 1848 audiodg.exe 2148 audiodg.exe 2880 audiodg.exe 1740 audiodg.exe 1756 audiodg.exe 1508 audiodg.exe 2960 audiodg.exe 1032 audiodg.exe 2340 audiodg.exe 1400 audiodg.exe 2668 audiodg.exe 2812 audiodg.exe 2076 audiodg.exe 2572 lsass.exe 2472 Idle.exe 2844 Idle.exe 2384 Idle.exe 644 Idle.exe 1708 Idle.exe 1432 Idle.exe 2380 csrss.exe 2960 csrss.exe 2644 csrss.exe 2924 csrss.exe 1356 csrss.exe 2028 csrss.exe 2024 csrss.exe 2312 csrss.exe 924 csrss.exe 2940 csrss.exe 3000 csrss.exe 2036 smss.exe 2088 smss.exe 1764 smss.exe 1904 smss.exe 1740 smss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exewininit.exeaudiodg.exeaudiodg.exeaudiodg.exelsass.exeaudiodg.exelsass.exeIdle.exespoolsv.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeSystem.exelsm.exeaudiodg.exeIdle.execsrss.exewininit.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 600 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2816 audiodg.exe Token: SeDebugPrivilege 2444 audiodg.exe Token: SeDebugPrivilege 1264 audiodg.exe Token: SeDebugPrivilege 2440 audiodg.exe Token: SeDebugPrivilege 2852 audiodg.exe Token: SeDebugPrivilege 1940 audiodg.exe Token: SeDebugPrivilege 1064 audiodg.exe Token: SeDebugPrivilege 2532 audiodg.exe Token: SeDebugPrivilege 884 audiodg.exe Token: SeDebugPrivilege 1108 audiodg.exe Token: SeDebugPrivilege 1612 audiodg.exe Token: SeDebugPrivilege 2512 audiodg.exe Token: SeDebugPrivilege 572 audiodg.exe Token: SeDebugPrivilege 2252 audiodg.exe Token: SeDebugPrivilege 1848 audiodg.exe Token: SeDebugPrivilege 2148 audiodg.exe Token: SeDebugPrivilege 2880 audiodg.exe Token: SeDebugPrivilege 1740 audiodg.exe Token: SeDebugPrivilege 1756 audiodg.exe Token: SeDebugPrivilege 1508 audiodg.exe Token: SeDebugPrivilege 2960 audiodg.exe Token: SeDebugPrivilege 1032 audiodg.exe Token: SeDebugPrivilege 2340 audiodg.exe Token: SeDebugPrivilege 1400 audiodg.exe Token: SeDebugPrivilege 544 wininit.exe Token: SeDebugPrivilege 2668 audiodg.exe Token: SeDebugPrivilege 2812 audiodg.exe Token: SeDebugPrivilege 2076 audiodg.exe Token: SeDebugPrivilege 2572 lsass.exe Token: SeDebugPrivilege 2404 audiodg.exe Token: SeDebugPrivilege 2708 lsass.exe Token: SeDebugPrivilege 2472 Idle.exe Token: SeDebugPrivilege 2076 spoolsv.exe Token: SeDebugPrivilege 2844 Idle.exe Token: SeDebugPrivilege 2384 Idle.exe Token: SeDebugPrivilege 644 Idle.exe Token: SeDebugPrivilege 1708 Idle.exe Token: SeDebugPrivilege 1432 Idle.exe Token: SeDebugPrivilege 1652 System.exe Token: SeDebugPrivilege 2656 lsm.exe Token: SeDebugPrivilege 932 audiodg.exe Token: SeDebugPrivilege 2536 Idle.exe Token: SeDebugPrivilege 2380 csrss.exe Token: SeDebugPrivilege 2444 wininit.exe Token: SeDebugPrivilege 2960 csrss.exe Token: SeDebugPrivilege 2644 csrss.exe Token: SeDebugPrivilege 2924 csrss.exe Token: SeDebugPrivilege 1356 csrss.exe Token: SeDebugPrivilege 2028 csrss.exe Token: SeDebugPrivilege 2024 csrss.exe Token: SeDebugPrivilege 2312 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.execmd.exeaudiodg.exeWScript.exeWScript.exeaudiodg.exeWScript.exedescription pid process target process PID 1972 wrote to memory of 2320 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2320 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2320 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2668 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2668 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2668 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1644 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1644 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1644 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 860 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 860 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 860 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 784 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 784 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 784 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1304 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1304 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1304 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2344 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2344 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2344 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1964 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1964 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1964 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1996 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1996 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1996 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 600 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 600 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 600 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1352 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1352 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1352 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1652 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1652 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 1652 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe powershell.exe PID 1972 wrote to memory of 2856 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe cmd.exe PID 1972 wrote to memory of 2856 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe cmd.exe PID 1972 wrote to memory of 2856 1972 b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe cmd.exe PID 2856 wrote to memory of 1944 2856 cmd.exe w32tm.exe PID 2856 wrote to memory of 1944 2856 cmd.exe w32tm.exe PID 2856 wrote to memory of 1944 2856 cmd.exe w32tm.exe PID 2856 wrote to memory of 2816 2856 cmd.exe audiodg.exe PID 2856 wrote to memory of 2816 2856 cmd.exe audiodg.exe PID 2856 wrote to memory of 2816 2856 cmd.exe audiodg.exe PID 2816 wrote to memory of 2508 2816 audiodg.exe WScript.exe PID 2816 wrote to memory of 2508 2816 audiodg.exe WScript.exe PID 2816 wrote to memory of 2508 2816 audiodg.exe WScript.exe PID 2816 wrote to memory of 2452 2816 audiodg.exe WScript.exe PID 2816 wrote to memory of 2452 2816 audiodg.exe WScript.exe PID 2816 wrote to memory of 2452 2816 audiodg.exe WScript.exe PID 2508 wrote to memory of 2444 2508 WScript.exe audiodg.exe PID 2508 wrote to memory of 2444 2508 WScript.exe audiodg.exe PID 2508 wrote to memory of 2444 2508 WScript.exe audiodg.exe PID 1508 wrote to memory of 1264 1508 WScript.exe audiodg.exe PID 1508 wrote to memory of 1264 1508 WScript.exe audiodg.exe PID 1508 wrote to memory of 1264 1508 WScript.exe audiodg.exe PID 2444 wrote to memory of 2868 2444 audiodg.exe WScript.exe PID 2444 wrote to memory of 2868 2444 audiodg.exe WScript.exe PID 2444 wrote to memory of 2868 2444 audiodg.exe WScript.exe PID 2444 wrote to memory of 316 2444 audiodg.exe WScript.exe PID 2444 wrote to memory of 316 2444 audiodg.exe WScript.exe PID 2444 wrote to memory of 316 2444 audiodg.exe WScript.exe PID 2868 wrote to memory of 2440 2868 WScript.exe audiodg.exe -
System policy modification 1 TTPs 64 IoCs
Processes:
audiodg.exeaudiodg.exelsass.execsrss.exeaudiodg.exeaudiodg.exewininit.exewininit.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeIdle.execsrss.exewininit.exeaudiodg.exesmss.exeaudiodg.execsrss.exeaudiodg.exeaudiodg.exeaudiodg.exeb8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exeaudiodg.exeaudiodg.exeaudiodg.execsrss.exewininit.exeaudiodg.exeIdle.exesmss.exeaudiodg.exeaudiodg.exewininit.exeaudiodg.exewininit.exesmss.exeaudiodg.exeaudiodg.exewininit.exeaudiodg.exeaudiodg.exeIdle.exewininit.exesmss.exeaudiodg.exeaudiodg.exeaudiodg.exewininit.execsrss.exesmss.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe"C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwmW5ZiuB3.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1944
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2444 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb1eaeb-6187-415e-978f-b68aa8e53c70.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a957ed-c25f-4329-a969-4602cc19c6d6.vbs"8⤵PID:2588
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1e55dd-f46d-4bab-bf94-d978cde6df20.vbs"10⤵PID:1740
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef105459-3e1e-4d47-9632-0b5048fae436.vbs"12⤵PID:1964
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1477a36b-e1b5-4cd9-9369-c11203a3d45c.vbs"14⤵PID:2320
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\974d9147-ea43-4c17-a2de-ec4ceeb32ca5.vbs"16⤵PID:2900
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291d1841-97a1-4377-a667-b8cba52acf26.vbs"18⤵PID:2652
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a781c9-34ce-4a67-9589-762570e27eb0.vbs"20⤵PID:1732
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0469aeb-e29a-4161-9451-29994f373be2.vbs"22⤵PID:1500
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f80a40-0455-4dc4-9944-654a54be4a05.vbs"24⤵PID:1004
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa74fcd7-1681-45ab-af55-0c17c74bbdaf.vbs"26⤵PID:912
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2252 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d143383-7fcf-4ace-8c27-5d0cb288723e.vbs"28⤵PID:1428
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cc5acc9-5221-46cf-b352-0e5cfe853300.vbs"30⤵PID:1956
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"31⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2148 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb34b2de-7d9f-4bae-9791-51a4d7c06080.vbs"32⤵PID:1576
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e80b1a9-f08a-4f81-86f3-ed16a1140d7e.vbs"34⤵PID:2588
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"35⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1f929d-98a8-4342-a855-ee152fc6fa8e.vbs"36⤵PID:2384
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"37⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a5dfbf2-6f1b-40c8-b87a-599fe25ac2db.vbs"38⤵PID:1792
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9493a9a-16e8-459d-9468-3c457eb683f0.vbs"40⤵PID:1288
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"41⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a64125a-3628-4029-81a6-606c2ef2c7c0.vbs"42⤵PID:1768
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"43⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2730f9c1-5954-4f90-9195-43099133bb10.vbs"44⤵PID:2004
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a873253-3fca-4b09-9298-a96040251e8e.vbs"46⤵PID:1916
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c80a1c4-4e97-4139-ab68-034aabb694a1.vbs"48⤵PID:2556
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"49⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a437a4c1-adb9-4273-8f0f-6da40c12cac4.vbs"50⤵PID:2536
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"51⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a18ebea0-8d75-4bef-b4d8-e274315d075a.vbs"52⤵PID:2228
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"53⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90b43bd8-abe3-40fa-bda8-8fdb130317dc.vbs"54⤵PID:1772
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c9a0ba-958f-4d7e-bf68-ecd593a8ef12.vbs"54⤵PID:2084
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8522b6de-e88c-4581-b361-123d34e735b7.vbs"52⤵PID:1324
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\592ab024-09be-4bd6-b5bc-184908320269.vbs"50⤵PID:2248
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1803fcf7-2912-45e5-af56-dbeb13c856d0.vbs"48⤵PID:1108
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0136ae81-dba5-40f1-b484-7d0cec927eee.vbs"46⤵PID:1004
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb4df6a1-d195-46cd-824e-17ef2e406e0e.vbs"44⤵PID:532
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67549861-7820-40e4-8bbe-ec0d93d02377.vbs"42⤵PID:576
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2144448b-de06-41b1-8db0-31feac3ee96b.vbs"40⤵PID:2288
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f1ca7e-d6b0-4432-bcd8-5d4b011468ea.vbs"38⤵PID:2184
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e365e2fe-0ebb-4218-8f90-3cdff504c246.vbs"36⤵PID:2884
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c2d7589-5d94-4526-bcb6-e9d8ae43daca.vbs"34⤵PID:2200
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f378fe0-f77b-4570-9d08-16c300f5c284.vbs"32⤵PID:2144
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5090c9dc-264c-424f-b112-1d051a3ad28c.vbs"30⤵PID:1132
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad009bc7-c7f4-4b47-9657-f93458490cd9.vbs"28⤵PID:2272
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e690dd7-b0e9-4157-8fac-273162c5a735.vbs"26⤵PID:2732
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4daf1837-0be6-4da3-b831-fe34e5beb302.vbs"24⤵PID:1208
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f504e58-2dc6-4995-9448-b333fad48092.vbs"22⤵PID:996
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7954474d-213c-456a-975b-eafd3d1b9e57.vbs"20⤵PID:2832
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92d3eb91-94e4-45e2-bf51-765c65d97989.vbs"18⤵PID:540
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4fa3bab-3d05-42a2-925b-c8d7f893297e.vbs"16⤵PID:1680
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4adce45-683c-482a-bd38-635d15925729.vbs"14⤵PID:2484
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cb3bc06-7f64-4d3a-9f41-ddbbdb9c7ef8.vbs"12⤵PID:2000
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f35bb97-dc50-4e94-87f8-4e2992fc0852.vbs"10⤵PID:2364
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"8⤵PID:880
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02df486-ce78-4e0b-a26e-e5661bc9e67b.vbs"6⤵PID:316
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"4⤵PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN" /sc ONLOGON /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2992
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"1⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\ose00000.exe"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"1⤵PID:2980
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"1⤵PID:1944
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"1⤵PID:2600
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"1⤵PID:2376
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f35bb97-dc50-4e94-87f8-4e2992fc0852.vbs"1⤵PID:2052
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"1⤵PID:2520
-
C:\Windows\system32\taskeng.exetaskeng.exe {39632321-4B8B-46E4-90AD-918B059923E1} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]1⤵PID:2752
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544 -
C:\Users\Admin\Recent\lsass.exeC:\Users\Admin\Recent\lsass.exe2⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebb3f657-2170-4fdb-a77c-40bd09429a8c.vbs"3⤵PID:480
-
C:\Users\Admin\Recent\lsass.exeC:\Users\Admin\Recent\lsass.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a777996-dc29-428b-9633-ebe7a2f2aea0.vbs"3⤵PID:1796
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55773280-a79a-4d68-a74f-6edcbda25920.vbs"3⤵PID:2100
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2844 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a149f6-4eca-4ee6-a35f-64c34b785168.vbs"5⤵PID:2720
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f641df2f-85a5-439d-9c9b-45965566bce2.vbs"7⤵PID:1156
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2095675a-7db6-485e-b3ed-82c97bebced1.vbs"9⤵PID:2632
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9418e24c-8b4b-4cb9-b9bf-46030d3992d4.vbs"11⤵PID:2608
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf2fbef-3193-40ce-88a7-c49f0c1ade77.vbs"13⤵PID:2008
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508407be-1f06-4c6b-a12b-dcf9a9c15861.vbs"13⤵PID:644
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c07a5a5-55ee-47bc-bde0-ec3dc5c8b708.vbs"11⤵PID:1304
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba8ad9b3-c94d-47dc-af10-b337f0163c91.vbs"9⤵PID:1028
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8533d52-2c36-4c76-b5d7-289bf66777e4.vbs"7⤵PID:1616
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564dca90-8d9b-43bf-85d1-fed76beb7496.vbs"5⤵PID:2416
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc8e4ecb-0802-45b8-aa9f-733f711b684c.vbs"3⤵PID:1784
-
C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\Tasks\lsm.exeC:\Windows\Tasks\lsm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe2⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53c138d4-b9c2-453f-bb1f-61021705a189.vbs"3⤵PID:568
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e8427a7-1714-4506-b99d-0103d3e24b2c.vbs"5⤵PID:1708
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b840d9-7e54-424f-8a5c-6ea3c03eeddf.vbs"7⤵PID:1548
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe8⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44afce48-c99a-451d-be4e-035cbb7ae94b.vbs"9⤵PID:2088
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1356 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40226343-97f3-4601-a5e1-207f6320ca89.vbs"11⤵PID:2992
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\743ed8c6-16bc-47d6-83a2-dfa2ce512bd1.vbs"13⤵PID:2188
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d7f3a56-8236-4e71-94f4-a1af4c81688c.vbs"15⤵PID:1708
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d1574bc-ec77-4806-80bd-768b526d1b57.vbs"17⤵PID:2812
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8d3072-5729-473a-bb5c-e45eb0f7fd60.vbs"19⤵PID:2096
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6ca37f5-2f06-49bf-8ef4-62ba9246ced6.vbs"21⤵PID:2500
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe22⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64b59c83-5bb6-447a-869e-c821b345ca0d.vbs"23⤵PID:2932
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe24⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c274ea9-eb94-4f9c-9a12-886ad95bd2f9.vbs"23⤵PID:1708
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41c255dd-418b-4e35-82e3-e3bf7c5431c1.vbs"21⤵PID:932
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6295eceb-3587-4bc8-9202-a8876093b766.vbs"19⤵PID:2524
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd1d6a00-6f0b-4569-a0e6-8dd32f7336f0.vbs"17⤵PID:1020
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3943177b-bb31-435d-9f68-2879a44068c5.vbs"15⤵PID:2032
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5a3fde1-1079-42c7-a847-07c47890c8a0.vbs"13⤵PID:1808
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47604fe8-6df4-4877-9d57-55637f978d72.vbs"11⤵PID:1372
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2722513-b67c-4d75-bdfb-2f2ba1f444b9.vbs"9⤵PID:2356
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42ee279d-2c00-4cf8-93e4-89765792e852.vbs"7⤵PID:2788
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e53bba19-005b-48ba-a400-e62434ba43e3.vbs"5⤵PID:968
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a790dfab-8088-4f09-9ba0-6a71f8e006f0.vbs"3⤵PID:1960
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exeC:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe2⤵
- Executes dropped EXE
PID:480 -
C:\Users\Admin\Recent\lsass.exeC:\Users\Admin\Recent\lsass.exe2⤵
- Executes dropped EXE
PID:884 -
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2aa7c6e-5709-4ad3-875d-8969b7772884.vbs"3⤵PID:2148
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f3c047a-00c0-4ed6-a3c2-0990a7d77b82.vbs"5⤵PID:956
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1764 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b345bebd-5d31-45b4-9afa-b91cae7a773b.vbs"7⤵PID:2296
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1904 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4487b1bc-2e22-4de5-b88c-8736fefee706.vbs"9⤵PID:328
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f366ad9-42c0-4c8b-9f13-94674777a419.vbs"11⤵PID:600
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db715930-6723-44cb-bbcd-789cd77007b7.vbs"13⤵PID:780
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"14⤵PID:1792
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca795d0-6d4b-4fb7-a7d7-ea2a42fea0cc.vbs"13⤵PID:1588
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34062494-f033-4368-b1b8-7d6bb19f3091.vbs"11⤵PID:2712
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6574cb59-fe3c-436a-9ea1-d003cb4570e5.vbs"9⤵PID:2608
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7ec0fe-c938-49ec-a116-aa2fe7e56828.vbs"7⤵PID:2400
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab1b8ed7-f92d-46c5-ade6-ff762fc5acb4.vbs"5⤵PID:2312
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb8b9906-758a-4005-8707-0d558b6e2599.vbs"3⤵PID:2320
-
C:\Users\Default\Saved Games\explorer.exe"C:\Users\Default\Saved Games\explorer.exe"2⤵
- Executes dropped EXE
PID:2296 -
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"2⤵
- Checks whether UAC is enabled
- System policy modification
PID:544 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68e9d80-dc4e-4dab-b8a8-90760d329f8a.vbs"3⤵PID:2160
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"4⤵
- Checks whether UAC is enabled
- System policy modification
PID:1848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb2c8bd2-5814-49c5-9e9c-e73cded7fbf0.vbs"5⤵PID:2536
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"6⤵
- Checks whether UAC is enabled
PID:2124 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7d157a-0fcc-4272-879c-7cb160b9d3e6.vbs"7⤵PID:1636
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"8⤵PID:1656
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b672e89f-6ecb-4cbe-bd67-b2ac71ac173a.vbs"9⤵PID:1428
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"10⤵
- UAC bypass
- System policy modification
PID:2844 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b62c7658-4df7-4a27-9974-3f78506e9fb7.vbs"11⤵PID:3048
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"12⤵PID:2160
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f552f3-f7bc-49a5-a2e8-b76b74487c3d.vbs"13⤵PID:3160
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"14⤵PID:3324
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9038819e-8166-4afb-a2d8-3e20446c2cba.vbs"13⤵PID:3220
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e662146b-b874-409a-9631-343c31195a91.vbs"11⤵PID:2252
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4960acb5-38e4-476d-b58c-8d9e9ba76553.vbs"9⤵PID:544
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8adf81c3-dc79-4118-802d-4284beb88cee.vbs"7⤵PID:2584
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a677a3f-2ca9-4e68-8348-2ece52d293d8.vbs"5⤵PID:780
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\330c5bcf-ce0b-4189-8816-8aeb67db4e22.vbs"3⤵PID:2384
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"2⤵PID:2204
-
C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"2⤵PID:940
-
C:\Users\Admin\Recent\lsass.exeC:\Users\Admin\Recent\lsass.exe2⤵PID:3504
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe2⤵PID:3512
-
C:\Windows\Tasks\lsm.exeC:\Windows\Tasks\lsm.exe2⤵PID:3528
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"2⤵
- Checks whether UAC is enabled
PID:3536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9165e0-cc3a-40b2-8813-ad8e1dabf8eb.vbs"3⤵PID:3888
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"4⤵
- UAC bypass
- System policy modification
PID:3108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27ca13c8-0325-40bd-a0ea-9b4ec16be2ed.vbs"5⤵PID:3048
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"6⤵
- UAC bypass
- System policy modification
PID:1656 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91b4c8c6-5903-4623-aea3-6815c58b66a3.vbs"7⤵PID:3380
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"8⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1248 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1831e825-5231-4c9f-bc29-63247c122fc3.vbs"9⤵PID:3448
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"10⤵
- Checks whether UAC is enabled
- System policy modification
PID:3988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdcd68f-fb59-4784-b85a-d7b9ea2a07b7.vbs"11⤵PID:3544
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"12⤵
- UAC bypass
PID:3592 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4860e01f-09ef-4c73-9c3f-6435d88c9dda.vbs"13⤵PID:3312
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"14⤵
- Checks whether UAC is enabled
- System policy modification
PID:588 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7aed086-5bda-4151-80c5-0def7ac118f5.vbs"15⤵PID:3420
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"16⤵PID:1656
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e575393-f82b-4ad6-856d-57b9d3a61a86.vbs"17⤵PID:2952
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"18⤵
- Checks whether UAC is enabled
- System policy modification
PID:3812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19590dc-2eb3-4bff-a75d-7d636c337015.vbs"19⤵PID:4052
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"20⤵
- Checks whether UAC is enabled
PID:3908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1d098ee-bf98-4b3f-af69-01546596ab97.vbs"21⤵PID:3544
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"22⤵
- Checks whether UAC is enabled
- System policy modification
PID:3396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c316e8b6-7b99-4898-85d0-e3058c438ae0.vbs"23⤵PID:3416
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"24⤵
- Checks whether UAC is enabled
PID:3572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b020b20b-0c5b-4ef2-a44c-4f174cc72abd.vbs"25⤵PID:4060
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"26⤵PID:1848
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1bcc459-671b-493c-bd8f-e919ec3b6fe1.vbs"27⤵PID:3296
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"28⤵
- Checks whether UAC is enabled
- System policy modification
PID:2552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\353d9cfa-43fc-456e-916f-7a0ca3726f35.vbs"29⤵PID:3348
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"30⤵
- System policy modification
PID:3452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66b8fad-1172-4e82-8715-da4fdc125421.vbs"31⤵PID:4036
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"32⤵
- System policy modification
PID:4008 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79c49916-304e-4d94-beaa-e6200cf8d702.vbs"33⤵PID:4080
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"34⤵
- UAC bypass
PID:3896 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7197a734-a884-45c3-a50f-79262f722534.vbs"35⤵PID:3392
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"36⤵
- UAC bypass
- System policy modification
PID:1256 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b176fd30-5b8c-4a34-9ab9-2a6fd904e599.vbs"37⤵PID:3684
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"38⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3640 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c413a012-8714-4a95-ad60-19b6316ee68c.vbs"39⤵PID:3536
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"40⤵
- UAC bypass
PID:3756 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8680b574-ecc9-4518-b965-0d6484bf097d.vbs"41⤵PID:3468
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"42⤵
- Checks whether UAC is enabled
- System policy modification
PID:3404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\004fcd9c-edda-459e-83b4-a56806cd8e75.vbs"43⤵PID:3120
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"44⤵
- UAC bypass
- Checks whether UAC is enabled
PID:2564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\659656d9-1df5-4c34-a67e-25363301eb0f.vbs"45⤵PID:3628
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"46⤵PID:2436
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffb2ed75-023d-48b7-8314-651d4f85f97d.vbs"47⤵PID:1376
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"48⤵PID:3544
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf8ce99a-eb05-4f75-bf26-04a46d638a48.vbs"49⤵PID:3524
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"50⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\428da52a-3604-470b-b057-5902eaa13993.vbs"51⤵PID:3980
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"52⤵
- UAC bypass
- System policy modification
PID:4020 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\754d0ed4-7f61-4bd7-9723-4c5861408d9e.vbs"53⤵PID:3816
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"54⤵
- UAC bypass
- Checks whether UAC is enabled
PID:3560 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b5b71cc-fa12-40e3-94ba-d6f702bb73ba.vbs"55⤵PID:3592
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"56⤵
- UAC bypass
PID:3864 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d97c17-869e-4520-8545-56ab51a367a2.vbs"57⤵PID:3564
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"58⤵
- UAC bypass
PID:2720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\570042b8-4769-46be-925c-f2e9289e426b.vbs"59⤵PID:3264
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"60⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3184 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6409692a-9c2b-4d72-befb-536aae14efa5.vbs"61⤵PID:1852
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"62⤵PID:3456
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f781d06-f57d-4d31-b5ee-581a8d0c9d8d.vbs"61⤵PID:3628
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e08a1196-b5e5-44b1-b685-11bd8c713268.vbs"59⤵PID:3780
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9ffe74-28cf-438e-8c01-9865d782fb85.vbs"57⤵PID:2924
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e25829-5ded-4b58-a29d-09e1f17a932f.vbs"55⤵PID:4068
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4ee9d99-1404-4d6a-9891-ac148d55b715.vbs"53⤵PID:3528
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1003441e-f5a4-4ea3-accb-82f163a5ed4d.vbs"51⤵PID:2620
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4512d7b-c20f-402c-8be6-21a53c439a4f.vbs"49⤵PID:2868
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b88d343-e3ba-40e7-a3da-9a8ed9800ed7.vbs"47⤵PID:4084
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67659cee-ed3a-4659-b112-dbf0aa54fc4c.vbs"45⤵PID:3100
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7942f640-df32-47ed-9bf1-540fd93ef028.vbs"43⤵PID:3988
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3bea8da-085c-4b1e-b461-b2171a72c068.vbs"41⤵PID:2844
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\614a48d1-8ec4-4bd3-b807-4379d1f668a4.vbs"39⤵PID:4036
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2e5291a-2e1c-4927-9047-e5e7b924d519.vbs"37⤵PID:3716
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d336ae63-5a53-4254-9a05-01851c93c85a.vbs"35⤵PID:2992
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f183ecc-b65e-46cf-af0d-862755793078.vbs"33⤵PID:3144
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3b9b6d-cc31-4e21-8225-4269f6d2e05d.vbs"31⤵PID:2952
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b18fc56d-8b59-4b3a-b6f8-78652be138d4.vbs"29⤵PID:3288
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96646a7d-d4d3-4cac-b1ea-f4660de91140.vbs"27⤵PID:3136
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529c7d6a-95ce-4777-878f-76a1ef4f0040.vbs"25⤵PID:3504
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8dd02c7-a8de-436e-b269-41fec808ca1a.vbs"23⤵PID:600
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacc9d16-a581-4bd9-98ce-0a450893b92e.vbs"21⤵PID:3588
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72fef30b-806d-496d-a128-236923f44e76.vbs"19⤵PID:3708
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c077c7-50fa-4231-8b64-da4b3f34812a.vbs"17⤵PID:1640
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44610319-c55c-4868-b218-bdf4803bfe5c.vbs"15⤵PID:3000
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8830da6-9803-41a4-a4de-b9f24923f221.vbs"13⤵PID:1964
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ba9a05-443e-40ce-a108-be077d910471.vbs"11⤵PID:3552
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ca4e411-a5ac-471a-ba9a-f8f27cb8ee58.vbs"9⤵PID:3832
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a67bc18-15ba-4920-b53f-6dfe54d80027.vbs"7⤵PID:3408
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2064efdd-74ab-493b-8950-1f83940d3aa7.vbs"5⤵PID:3248
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7a08be9-70cd-44dd-b67f-7dfe9ee0072d.vbs"3⤵PID:3940
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"2⤵PID:3436
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe2⤵PID:1376
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"2⤵PID:2872
-
C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exeC:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe2⤵PID:3200
-
C:\Users\Admin\Recent\lsass.exeC:\Users\Admin\Recent\lsass.exe2⤵PID:2840
-
C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"2⤵PID:4064
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"2⤵
- UAC bypass
- System policy modification
PID:1352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d5ba54-2f5d-4264-8f44-cc64f41e0ad8.vbs"3⤵PID:1804
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"4⤵
- Checks whether UAC is enabled
- System policy modification
PID:2388 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764e1ab7-2bba-43cf-b8c3-9f9e03467854.vbs"5⤵PID:3556
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"6⤵
- System policy modification
PID:3304 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ffe154-fa6e-475e-b610-a0643a32b338.vbs"7⤵PID:3564
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"8⤵
- UAC bypass
- Checks whether UAC is enabled
PID:3676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c7b982-84e8-4ed2-afab-505c81ed8c1f.vbs"9⤵PID:4092
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"10⤵
- UAC bypass
- System policy modification
PID:1432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2655f2f9-8550-451a-b5ba-6bd9d4a73158.vbs"11⤵PID:1364
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"12⤵
- UAC bypass
PID:3736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b83f4bad-c3e6-4b38-b431-ec78fa4bd7b8.vbs"13⤵PID:3756
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"14⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2020 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e5693b2-a895-42a4-8503-1a000b3dd264.vbs"15⤵PID:1704
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"16⤵
- UAC bypass
PID:3152 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f278f799-e669-4a90-a89d-ad24a99b1e74.vbs"17⤵PID:3292
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"18⤵
- Checks whether UAC is enabled
- System policy modification
PID:1792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ca6903-f844-46b3-b727-4b781a3d003c.vbs"19⤵PID:3464
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"20⤵PID:3584
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d932b8e8-2240-468c-b1df-2909ca0f3ab8.vbs"21⤵PID:2860
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"22⤵PID:3676
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ff7587-df65-493f-adf2-836849fcd02b.vbs"21⤵PID:3924
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d538be-bcce-4f87-97e2-476bbcee65ae.vbs"19⤵PID:3576
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2493fdf-d86c-441c-92aa-6cb539e386bb.vbs"17⤵PID:3544
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa3965a-6c54-415b-851f-0fae7e73ced9.vbs"15⤵PID:2136
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fb4f5e6-65c2-4bd3-8c7a-dd8dd0ff3ae8.vbs"13⤵PID:3344
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b6ecf56-3b79-42b8-bc5c-2344a4daf9e8.vbs"11⤵PID:3968
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ea02601-d5dd-45e3-8895-91a51044e0a2.vbs"9⤵PID:4032
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e6d4d81-21e4-417e-9356-cade703f04d5.vbs"7⤵PID:2120
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\742bfaf1-f2e1-4374-bfb8-5f0efb437697.vbs"5⤵PID:2432
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a43d0acd-ce98-423a-adb6-9ca52d9c9ca4.vbs"3⤵PID:336
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe2⤵PID:3424
-
C:\Windows\Tasks\lsm.exeC:\Windows\Tasks\lsm.exe2⤵PID:3112
-
C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"2⤵PID:4048
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"2⤵
- Checks whether UAC is enabled
PID:4060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e6d0864-4a0e-4414-b04e-5e3986e09daf.vbs"3⤵PID:3860
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"4⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00978fee-2799-4c17-9579-f97c3d948057.vbs"5⤵PID:3632
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"6⤵
- Checks whether UAC is enabled
PID:3564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8fb25d-06e1-4594-995c-a6bc85d0b29c.vbs"7⤵PID:940
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"8⤵
- UAC bypass
PID:2816 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17a400d5-7df3-4a87-b56a-42b5a653b889.vbs"9⤵PID:3656
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"10⤵
- Checks whether UAC is enabled
PID:2860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b69289-a079-4848-a3f9-31eef4c57f53.vbs"11⤵PID:3852
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"12⤵
- UAC bypass
- Checks whether UAC is enabled
PID:3200 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65c195e-c52d-4fe7-ac1e-c2b3200e166f.vbs"13⤵PID:776
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"14⤵PID:3736
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f98f65c3-bab4-4463-8255-b72b5ca94ee0.vbs"15⤵PID:3840
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"16⤵
- Checks whether UAC is enabled
PID:3684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c820c89-6b36-4673-8ae7-f2b287de9f04.vbs"17⤵PID:3676
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"18⤵
- UAC bypass
- Checks whether UAC is enabled
PID:3280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce3d7aaf-82e5-464f-a3e0-3539426365da.vbs"19⤵PID:4120
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22d245c-93bd-4ab9-b9f4-afb668747a41.vbs"19⤵PID:4168
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18c8c9ef-9d67-4c1b-b595-c3d03803863e.vbs"17⤵PID:3360
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb93e09-4363-4997-9308-a3af23f1f235.vbs"15⤵PID:3688
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f197267-a4c3-4299-b150-79a8cff73cfe.vbs"13⤵PID:3632
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ee4644-7626-4cf9-83c5-f8932b788d4b.vbs"11⤵PID:1852
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da94ec6d-ba16-4ebe-bfdf-1762a1a75b88.vbs"9⤵PID:3760
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c327091-3c6d-4f61-afc5-7f138e406c44.vbs"7⤵PID:3912
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbe6ad39-2c50-494b-ab94-88d520dcb21f.vbs"5⤵PID:4092
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c46bbfa-7b0c-4ba8-bedb-8054d220a34c.vbs"3⤵PID:3916
-
C:\Users\Default\Saved Games\explorer.exe"C:\Users\Default\Saved Games\explorer.exe"2⤵PID:3476
-
C:\Users\Admin\Recent\lsass.exeC:\Users\Admin\Recent\lsass.exe2⤵PID:776
-
C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"2⤵PID:3032
-
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exeC:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe2⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD51f10925693bbf4fa35d0a1b7277efe21
SHA12d38bd8b9ba5107b9e905e77ec179b369d2d5f7a
SHA256c808909af7ce018bc0d993e957e25bbe63aea9ed9746107194e660eb6d2f478c
SHA512add18344b2b66495e6212ed0c6f79097dcb35e64ff3077509d25693156d8d019a027dff1e04c66952af3641599fafab3274ef87a027b60993c069d939f9f9e38
-
Filesize
4.9MB
MD5f7543863b15675605ca0dd3264d06561
SHA1d607a45cc3aa772e31f2d5558538a9d3fe7b138f
SHA2560c0b7e8ea93e5aae2ff44d35ef4f93f2fe113a74a1db5a55d1e5d69506b3f067
SHA512911b384009b9d98c48f18947701eee791d60bd0254258a557b2769bfad0266194cdb3c58a592788fa7a41fd5041a85b74d59f9f982054770f087c72289ba004f
-
Filesize
4.9MB
MD5902f5a8ad3b6cccbc70c3c5b1bdf3afd
SHA1581e37998cce83437db5ee432d472b9d395f10ce
SHA256088ba83d7632ad1ff17bac826aaa22af8bd1b62fc11f9bb31082caf87ef326df
SHA51279a9a3ee65bd1929a3464b627a079d407402163cac4f5ff85940994b9439ab2463bb591f472a9283f70605e81c269d9878a7f6fdca6bd9abdae5b72203ee2c98
-
Filesize
4.9MB
MD55a9fb15e8fc1d8162c861ca1544f38f0
SHA1a7606e286eb27a1a5e95693c594de5c65c5d7aa1
SHA256b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a
SHA512a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d
-
Filesize
737B
MD594ddc237ac5f52fe612b279a6058d2d4
SHA1d8fb261b8dfeb2863874a8ab86a77382a8520699
SHA256b8d5f7fde8ad466e246f48ff0b5f2032b0199a2b45ea64be39938bb736b59500
SHA512e614213100c4bfb51e8c10aafaef7a3f529f72923d98623f5e093706239f2fd6f9a78525e1c07aeb84a4634407179a10792bc9cabae4f174cc5ecc209188e9fa
-
Filesize
737B
MD53089c47815b937b28f4a5c97f59e8eee
SHA1734f3678338f26b6ad91c5864e27480c4c672265
SHA256beb1bf686dd8cd883c781cb2c753eb146536e8f65ba0231aa8e5b799c9feffaa
SHA5122476e4d6f403d3391eca0575d101c264fc32128fc1c413ef04a859006456844fd628431120662e5a609acb8a842fca1f82a7e30dcc221444616636419de4a1e4
-
Filesize
737B
MD5b7f08e3a3eecc5a9af6067e9a780d445
SHA1a7816aa3ad08a67090a8a1b7a3cb4ebfdd971495
SHA2569464d7d4d317f80a9245f48f6b98ed6d823a076b4d330c8304e22e6eb3821c48
SHA512d346206df9472b6049c862ff39fd529c2f3a0e6cc18a494fb3786c26c4898625602946eff40809ae7219f2cd77c1857e4ac7c80dd122c262b94f584d5148a82c
-
Filesize
736B
MD5b15d682a6fa720ccced581a945b927fe
SHA1cdfb29eac715c0d26974659738b32e298cb51e51
SHA2568c92a3835848525efb0abfa4e59136d940fd64fbc18626eeae96974de6258136
SHA5120782b4e4711ad927e1b7319135285a127ce8fa2e0e82193351498976afe4325d2218a300ca796e87e15134b7f4990710b94f3855af3a334f5da91a3cf9988b82
-
Filesize
737B
MD577eae1c1d105a9e55a0517cf80c8e94b
SHA16fab975c03d94152a8b66d25b3c3357a399c2d29
SHA256aedcd7d3581e95d141b14ba24b391e14665532cb0a2a0602276a993377ee3961
SHA5124ed7b5d12b5cb29dae0bae917ec904a61125d015e7ea142beeac6e4f57d1c0a0c39de3728d5a26075ee44ed6fc51876ab04962f807bbe27c9e7ac2dca189d1a2
-
Filesize
737B
MD5c5d33614fdb3b45208edbb5aac6bbca6
SHA1aa916221cf31f36a965ef54936b0b3b3ed8129df
SHA2566ea0433240069c3e24185ac868c201ab90cc14972acfedd544b5649bae7aba9b
SHA512a72c101165f88e382342d6f97cf849369c4f9008e179ac66e96b29457e6647fec30a1054d61652977251c889d27b4f0157251eccef584493336c7467491d6e6e
-
Filesize
737B
MD5ba0ff6f13c21f3d9e7b742fad4c96eac
SHA10d9249a83be2753bcc518422087673a007ed6b67
SHA2560b774dfe76f32e4ac4473c4525f5847e888ccac51ce0d95b452492c74d46c049
SHA5124985f4124a7ac792febb0385eea67155f452f454907cce1b0e7da3ab5b7907555dfe72d7378e23d3f2ec55df5861d4df561f446be5af3c0430bcb2829e7f24f6
-
Filesize
516B
MD5b1b323a475c9afc41ca4985a94636449
SHA10fa05d2ed088dddaa2ca1484881ae9bba51a49ce
SHA25615e59ecf287c710faf0488b4dbdb7b8f715751e41f800cd433235cee5fc79a67
SHA5124f386c0bbeb5190d268da23040221c1d7ad7cac60ca644ae4a7ed536a67f79ff3be58b7366868bc99f86820ab76ed263f2a419b2be7ca1b3239ad9a595ecc223
-
Filesize
523B
MD52c61fa8aea872fc77447f09ecc005f12
SHA19d1f0ad4040289c49d7f0d78f1fd0717dc580ca2
SHA2565d90ed02b0fb7d509975252c1a573d6ce2995a0041383416848e92ab915b4672
SHA51243981a90cdf5632347871db60bd74a0ce8de366991cb83aacbd56fbd78baa79d6d1989c098c8519b5b68468c9d322fffc3378dd1ec71414247652406e320f070
-
Filesize
513B
MD5ea35266504394a12cbb7e0eb895bb381
SHA1748a56fb051a9ffaa55fb89b02399e87131459cc
SHA2566a349bf2301c2b86ae27a0268e85789783c0eec260babe9808cbfab61187c6e3
SHA512033ec671e193aa971271392151a2f6780a9e0e5d53244ac3ee4afc7d5e9dc908ee58720af1a4d02c7853ca7f45a56b1a146474aa58b944d28dd12969e94b4b73
-
Filesize
737B
MD566947f08603787939ee422f69aa2de86
SHA1c255c77b60cbdec98a0bef76beb98bbd8814070f
SHA256c4a27afec8626a2f296e5c053810f3752f8f1ad589339b09d1ba76fe749228f4
SHA51291f3fc04f0df696cba255a33d3a61d566eb18f15c4eff11f85f3e975e2a8e478123f563fb4c3635b904d7cf6d6fb2e34ad8f3cf0055d8070b26adf37a56d087b
-
Filesize
737B
MD505ed5d7ce2024a516ee2e5b66bc7d16c
SHA14c3e55eb6b6f18f6fe0214f19393c9c0c3452314
SHA25640042a78413edd782a3547005facc59a719c929e9b277ff03a65c6e763b70772
SHA51228709559da2c9e095fbeab2c65cb168501e40d2bf1696ca52352fc01665f53bc81ae2bdab123df7af9f583e5d8c6378e56829fe1dcd94f031b24d2f3f687c4c5
-
Filesize
226B
MD5f14661361959be15faadbe237c212ceb
SHA1082540ee7930a64bf774fa68210d7f3b50cfbf32
SHA256502611aa66faf25fbc9c3b7ca6a22de90330afd8b3ebb3219173bc4f4cff77f5
SHA5126723c32692905c7ceb68a332988f03eb7079ab336f8220b61ae1b18def8a204cab559e359ed0da955ae1eefa9b80791e3f14e33d6533e834fbe38146d1a195e4
-
Filesize
526B
MD5449e9b99e79d978faeb4ea9d9dc002e8
SHA1df31d59a34057b5c81dd75dcb00db2769810cf08
SHA256576519056be9a4b8d2911fe3aeafd72f10e0accf08551a9e7f76d119d547675a
SHA512de0653c319098321cd3401e637b0c3aecff42e627a64298be0a60211baf5fb4a05ab2619c63f073502f7e81871113c5ed278f55dacada438b27ac5d0d0eb1f20
-
Filesize
737B
MD51ce6ebc2b4d1e7d74e2ea23794194d0e
SHA10c3c39af37b0358870e95ddf1108f24d9c97ad2d
SHA256e1e5c6cf140b568629cb44788ca9d42220ad464585759bdb5d68391c1918c31e
SHA512fae7ff6ef7406ee4dfc7b9d009f99902b09448513b218d6eca4dbbaf487ae1618a1c05acf5973417fe4e2ad857d629e64e12b314f29b0704b9b4f00bd968db6d
-
Filesize
737B
MD54aefb45cb8bc0f1eaf3bc20668c767f7
SHA1d4d304f182280e0b46099ec73e3f2a7b20205311
SHA256b73756e4840ab5bf14dd184f0e342640fb2545238c18d521c75382a95aeaf53d
SHA5123b4221986a502d950860aac516a55f1306e9a068a642f955e5428ddd6ef6f4b5a012e5fb5af4efde270795e254d25c7c730d5df3cf2a2e47d596b5be66c02f43
-
Filesize
510B
MD5c669c97cdad6b1d111abd49c70bdffba
SHA13ffa3c8b796257bb418ebdae49245e1e20165840
SHA25603570eb84cd5129170607d2ca5f54cb02cf661e86d67f3ef63133dfaf09334b3
SHA512349c393532e6fdb3f708e1dbeeb374b02a7f0bd1bfc445fa6c0d53b4d734f38592de438c07ec4daf41f6168eac973fe26bf66cac9ee68f9973a913be73cf1353
-
Filesize
737B
MD516474ae0a00bbed20c4754950029aa52
SHA1ffa7f904934a3ea18563ee9ad56d26600717eb33
SHA256c00beeaebddd1b7e596d390568e808cbfaa57d29655819c0c4d828aa4bf1198b
SHA512bd661163269ebe96b2d4e6273c6c353aafd26123e8ee927e724bf5ca0c0989678e93566d00a2a4b421cf2aca6b37d74d3434deb0682381ea2a06745da510e1d3
-
Filesize
737B
MD5dda1d99a1b4a8b81893e0887da0bbc3f
SHA1b2628c9ade665794c75cf484e6324a7ce3443a7d
SHA256cbcbf743855503ce684ce9aa8249bee0ef9c1408943c47f9650b12ec451e1c82
SHA512ab3c725c40f1fd3433e7a4f6e6abbe47779f1578b8c9e496abf45e6e05379bfab6d368aa7f8fa9140adf240961c963a679fb06602c38be0d66f914d99223d964
-
Filesize
737B
MD56337f4f18ad38add8b95068bb8489387
SHA1e3de6b5622729fd72e05fde5b96b18c5e87488d8
SHA2569c88277a72964de97ac79c6d12f1d1a7d5d35035b6c8f4d6046facc8d6bc10e3
SHA5120966083525c0fdf6329130d29dd43f92a42e791defcd6585ca4818aad2acaf483e9e004cf2cdc7b3a78f95f95477db60bd259f1a49e4f31b0a373ad71c720729
-
Filesize
737B
MD51bee4425dab93b60f0d50281e505cc31
SHA18af4238d6aac4605e9f8d8e789a860287f6c8677
SHA256768e2a3e627d70eecd5034065bc2e7c7e2401485561fe5fb674316073a174633
SHA512140fab69f27d2e39ce0cbd4f13e05324a10d742f9e567ce6d4fe413cf0160febbfc5ab28ccc60c354bdc0d018ee8710cc5bd5c7a9edb5c7989d95d092e62d5f8
-
Filesize
736B
MD52b7ded60cefb283969cf354a777bc526
SHA1a8e734ca1771d289339b3110a814e403caeb87db
SHA256ff8e07dbbf6635ed59f40a9f87a53a01c708f732a157445537765986079d2475
SHA5125866ce8862e5ee059ef21c6bc9803fafa063b1909892f233815bad0c208971809dac5999a894462c533e2d56a71530c3fea6105047e252cb4d45a1f28ad81c98
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD513d390a087d4855aca2a53419c36a911
SHA17fd2d45880d625bbebce7e8a74a67950538cc6fd
SHA2561eed5dcdeeaa69c69c3b935799dc95ffdb97404d0fab6ee8e9e2f2e1827ca084
SHA51296811206c11d25a38f19b510b87c01ebcdaadc83722b267f38b0805ecd3312e5fe0a5ea2058f0b41439a85e0fcacec21132f5745b97fba059968694b2d18ebf2