dcrat | c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Size

4.9MB
MD5

04a5a680096028d0f1b150420923d6da
SHA1

ea45b7f50479db4e89573601386f600e7cc64aa2
SHA256

c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259
SHA512

3d857d1e20b1d05ebdd570c7bc55f41a9d11c5b1550dd0c28085e7957908530f804d5d9ca083dd93cd8639063669487c43fefa0fd893f613074d7d142c9083c3
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2052	schtasks.exe	31

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2856-3-0x000000001B730000-0x000000001B85E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1960	powershell.exe
1720	powershell.exe
868	powershell.exe
1776	powershell.exe
1372	powershell.exe
1520	powershell.exe
1696	powershell.exe
2800	powershell.exe
340	powershell.exe
1704	powershell.exe
2168	powershell.exe
2032	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2748	audiodg.exe
1632	audiodg.exe
2000	audiodg.exe
2232	audiodg.exe
2800	audiodg.exe
2912	audiodg.exe
2176	audiodg.exe
2132	audiodg.exe
2656	audiodg.exe
2884	audiodg.exe
1720	audiodg.exe
2108	audiodg.exe
2044	audiodg.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX7957.tmp	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\lsm.exe	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCX84B2.tmp	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\WmiPrvSE.exe	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
File created	C:\Program Files (x86)\Google\Temp\lsm.exe	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
File created	C:\Program Files (x86)\Google\Temp\101b941d020240	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
File created	C:\Program Files\DVD Maker\de-DE\WmiPrvSE.exe	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
File created	C:\Program Files\DVD Maker\de-DE\24dbde2999530e	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe
2064	schtasks.exe
1340	schtasks.exe
1528	schtasks.exe
1020	schtasks.exe
1716	schtasks.exe
2232	schtasks.exe
1752	schtasks.exe
2316	schtasks.exe
2624	schtasks.exe
836	schtasks.exe
2144	schtasks.exe
2288	schtasks.exe
2448	schtasks.exe
764	schtasks.exe
2192	schtasks.exe
2172	schtasks.exe
1268	schtasks.exe
2484	schtasks.exe
2572	schtasks.exe
2968	schtasks.exe
1972	schtasks.exe
2292	schtasks.exe
2928	schtasks.exe
1824	schtasks.exe
3012	schtasks.exe
2660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
340	powershell.exe
1372	powershell.exe
1776	powershell.exe
2032	powershell.exe
2168	powershell.exe
1704	powershell.exe
1720	powershell.exe
1960	powershell.exe
1520	powershell.exe
868	powershell.exe
2800	powershell.exe
1696	powershell.exe
2748	audiodg.exe
1632	audiodg.exe
2000	audiodg.exe
2232	audiodg.exe
2800	audiodg.exe
2912	audiodg.exe
2176	audiodg.exe
2132	audiodg.exe
2656	audiodg.exe
2884	audiodg.exe
1720	audiodg.exe
2108	audiodg.exe
2044	audiodg.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2748	audiodg.exe
Token: SeDebugPrivilege	1632	audiodg.exe
Token: SeDebugPrivilege	2000	audiodg.exe
Token: SeDebugPrivilege	2232	audiodg.exe
Token: SeDebugPrivilege	2800	audiodg.exe
Token: SeDebugPrivilege	2912	audiodg.exe
Token: SeDebugPrivilege	2176	audiodg.exe
Token: SeDebugPrivilege	2132	audiodg.exe
Token: SeDebugPrivilege	2656	audiodg.exe
Token: SeDebugPrivilege	2884	audiodg.exe
Token: SeDebugPrivilege	1720	audiodg.exe
Token: SeDebugPrivilege	2108	audiodg.exe
Token: SeDebugPrivilege	2044	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1704	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	59
PID 2856 wrote to memory of 1704	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	59
PID 2856 wrote to memory of 1704	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	59
PID 2856 wrote to memory of 1776	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	60
PID 2856 wrote to memory of 1776	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	60
PID 2856 wrote to memory of 1776	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	60
PID 2856 wrote to memory of 1372	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	61
PID 2856 wrote to memory of 1372	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	61
PID 2856 wrote to memory of 1372	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	61
PID 2856 wrote to memory of 2168	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	62
PID 2856 wrote to memory of 2168	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	62
PID 2856 wrote to memory of 2168	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	62
PID 2856 wrote to memory of 1520	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	63
PID 2856 wrote to memory of 1520	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	63
PID 2856 wrote to memory of 1520	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	63
PID 2856 wrote to memory of 2032	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	64
PID 2856 wrote to memory of 2032	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	64
PID 2856 wrote to memory of 2032	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	64
PID 2856 wrote to memory of 1960	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	65
PID 2856 wrote to memory of 1960	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	65
PID 2856 wrote to memory of 1960	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	65
PID 2856 wrote to memory of 1696	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	66
PID 2856 wrote to memory of 1696	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	66
PID 2856 wrote to memory of 1696	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	66
PID 2856 wrote to memory of 2800	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	67
PID 2856 wrote to memory of 2800	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	67
PID 2856 wrote to memory of 2800	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	67
PID 2856 wrote to memory of 1720	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	68
PID 2856 wrote to memory of 1720	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	68
PID 2856 wrote to memory of 1720	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	68
PID 2856 wrote to memory of 340	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	69
PID 2856 wrote to memory of 340	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	69
PID 2856 wrote to memory of 340	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	69
PID 2856 wrote to memory of 868	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	70
PID 2856 wrote to memory of 868	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	70
PID 2856 wrote to memory of 868	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	70
PID 2856 wrote to memory of 2748	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	83
PID 2856 wrote to memory of 2748	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	83
PID 2856 wrote to memory of 2748	2856	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe	83
PID 2748 wrote to memory of 2608	2748	audiodg.exe	84
PID 2748 wrote to memory of 2608	2748	audiodg.exe	84
PID 2748 wrote to memory of 2608	2748	audiodg.exe	84
PID 2748 wrote to memory of 1128	2748	audiodg.exe	85
PID 2748 wrote to memory of 1128	2748	audiodg.exe	85
PID 2748 wrote to memory of 1128	2748	audiodg.exe	85
PID 2608 wrote to memory of 1632	2608	WScript.exe	86
PID 2608 wrote to memory of 1632	2608	WScript.exe	86
PID 2608 wrote to memory of 1632	2608	WScript.exe	86
PID 1632 wrote to memory of 1048	1632	audiodg.exe	87
PID 1632 wrote to memory of 1048	1632	audiodg.exe	87
PID 1632 wrote to memory of 1048	1632	audiodg.exe	87
PID 1632 wrote to memory of 1036	1632	audiodg.exe	88
PID 1632 wrote to memory of 1036	1632	audiodg.exe	88
PID 1632 wrote to memory of 1036	1632	audiodg.exe	88
PID 1048 wrote to memory of 2000	1048	WScript.exe	90
PID 1048 wrote to memory of 2000	1048	WScript.exe	90
PID 1048 wrote to memory of 2000	1048	WScript.exe	90
PID 2000 wrote to memory of 1504	2000	audiodg.exe	91
PID 2000 wrote to memory of 1504	2000	audiodg.exe	91
PID 2000 wrote to memory of 1504	2000	audiodg.exe	91
PID 2000 wrote to memory of 2924	2000	audiodg.exe	92
PID 2000 wrote to memory of 2924	2000	audiodg.exe	92
PID 2000 wrote to memory of 2924	2000	audiodg.exe	92
PID 1504 wrote to memory of 2232	1504	WScript.exe	93

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe
"C:\Users\Admin\AppData\Local\Temp\c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41e36058-b2f9-4f25-b2e3-ddc658b52835.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
      C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62a4075c-86f9-4115-a85e-c85c4de949aa.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cf593e2-af46-4547-9e4e-49d99edcb1d9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab3dc2e-6ca0-45c6-9f4b-5e12288bf5d5.vbs"
        9⤵
        
        PID:1716
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbb0d9a1-623a-4e31-8b80-5f9cb71bb3e9.vbs"
        11⤵
        
        PID:2016
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e365c087-f4aa-4df6-b50f-d44eb7787109.vbs"
        13⤵
        
        PID:876
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39852769-77ec-4aa5-bec6-43152c3b4c5c.vbs"
        15⤵
        
        PID:3008
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad4d82f3-d68b-416f-88da-16a4afad5c0c.vbs"
        17⤵
        
        PID:2856
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d64f68ce-fcc3-4e67-915f-f1e38b6695ba.vbs"
        19⤵
        
        PID:2948
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f112c026-da0b-4925-9526-13da15879739.vbs"
        21⤵
        
        PID:2504
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c75d1962-6a71-4c89-b501-5da9d091c3a8.vbs"
        23⤵
        
        PID:2492
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bbfebfc-d27d-483d-906a-35e8038d6181.vbs"
        25⤵
        
        PID:1960
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c093cb66-f80f-452c-8033-fc222c9f8bda.vbs"
        25⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688e3721-4303-49af-9f0e-af6069dddbe5.vbs"
        23⤵
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e60ac11-f98f-406b-ae32-382d7369e295.vbs"
        21⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\541fba4f-9f77-42be-8348-d00bff22532e.vbs"
        19⤵
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a1c1ab-91bc-448d-92cd-f0eb735286dd.vbs"
        17⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5644a00-7870-45ef-a5ab-98fb6bc0105b.vbs"
        15⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df33ae1e-3241-4b96-bf76-d7c638f453fe.vbs"
        13⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a09036c2-418c-4475-91c1-1f5d3ded8ba7.vbs"
        11⤵
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d168dff-a75f-4d80-8d71-562707c4cdd9.vbs"
        9⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7aa26a1d-797e-4903-8954-e95225eb9f1d.vbs"
        7⤵
        
        PID:2924
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5f30c3d-4254-4eed-b5a4-d243de72c4e6.vbs"
        5⤵
        
        PID:1036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac5de990-e1bb-41c1-a350-cb16c9c08812.vbs"
    3⤵
    PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe

Filesize
4.9MB

MD5
04a5a680096028d0f1b150420923d6da

SHA1
ea45b7f50479db4e89573601386f600e7cc64aa2

SHA256
c9f1e99052a555dac75bafdd9eee5b662cc4ffe3599e7d6e8dc4211180f68259

SHA512
3d857d1e20b1d05ebdd570c7bc55f41a9d11c5b1550dd0c28085e7957908530f804d5d9ca083dd93cd8639063669487c43fefa0fd893f613074d7d142c9083c3

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe

Filesize
4.9MB

MD5
caf609a361d05d8a1a0f2e077e7c8476

SHA1
87c4baa41ef95a893a07a1a33899551bf09cf35c

SHA256
a61a62711a4d1aca8868da9f53ef5870a14d790362538341dad09a4792cdfbde

SHA512
3fac458e94bfc5a3c7033c561ad77c899f9162eb1c9b3bb2f82d466a653955c631e094a8e1a5f4bba3a8a229c92273365bb2ba8d47fa6df03dca48608032a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bbfebfc-d27d-483d-906a-35e8038d6181.vbs

Filesize
736B

MD5
90da12219e02779620f8bf1e70efd9f0

SHA1
8e683e72dda9ed4bcfd75eb2dd651ead4b3396f9

SHA256
975e7213cc5b682d64fa9c4d6895996723ef8e2cf28801d193a23b92d9569d8c

SHA512
2e690e111ceb86a62d7b3e37f261e73c2f9229d102f345e1c567afb723ed935bef3c409f18150f07ccc8c1290bd31bb325d35857fe9e30c9d427fc93d9271e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\39852769-77ec-4aa5-bec6-43152c3b4c5c.vbs

Filesize
736B

MD5
7ef7e63c02d57436b6682d9081eba0e7

SHA1
79ee3a00040a04cb43ecafb4e0001c16a8ec0464

SHA256
5c0b151f977cfe135f050c56745bb9079965ad14bb9ebcd6fa15cf612a04054e

SHA512
cfb63f414c6b48f8ff120beb333b2c1cf8e5683cac335011efdcaaba6008bc661bc6d522468bb298aecf6c5a6703edc0134c9a92a2b9cc86542388a1b8a7ec4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41e36058-b2f9-4f25-b2e3-ddc658b52835.vbs

Filesize
736B

MD5
eb457065610dd81c869d4202f6407eae

SHA1
00c4e75abb13667d63b9de9ea2ea5f92a1c5eaef

SHA256
687f07609f52ad8663b00aba6bdf13b8a0e36def1c76da6d30797d4783df6163

SHA512
164aa228eac56ea565e51574b319f15cd37ee4c0d63ea78feb94b225ee9a60a720c36cc177b00ad2cbb16783d05d26c63b1513a0a09ad1856cf185946d09481e

Download Submit
C:\Users\Admin\AppData\Local\Temp\62a4075c-86f9-4115-a85e-c85c4de949aa.vbs

Filesize
736B

MD5
78ac58193bd068bbea1807ccc663742c

SHA1
d1565a09df6e2547e57439e0345f9a85c24d745c

SHA256
4d2db8838b1f21cf13b1b7a32b6fef6082c841e065d0ee6821b3fee90ebd9c66

SHA512
ce1f722fa1774f22d34918112a780d7544bf4e2af65006d0553804c0fdf6014b0b18c5499dd107f208c318f590ef524dd7d7c22aee669a96d70bd53ea6c20046

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cf593e2-af46-4547-9e4e-49d99edcb1d9.vbs

Filesize
736B

MD5
8add43cc5af78c4dbaa34b69daa5c63d

SHA1
f5e1cd7d810e724a01295f0796800b712145a329

SHA256
b64bc1bb30150fca4b38ffc93ca86165a76fd9afd202e52661e0af7166ef1fc4

SHA512
cb9991fb618bde68b3c2a37c9c02648e598e110beb8feae3a6d9482543c6faff8e226414793de46612a07d42a95063fabb24ddff6fc0f2b3909f0c95a84c1b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac5de990-e1bb-41c1-a350-cb16c9c08812.vbs

Filesize
512B

MD5
43397e5e822b05d79f8a4bcaf8ff5831

SHA1
b4c4f81edcd9398ae5738bfe27711dd33c61973a

SHA256
f9f658111e5f9fccb31509c6cf3e8e4ca0854452b875fc95e05bf7d4870d8e60

SHA512
363d72546d8650093ef78410ec3c7a3ccb88ee60c11c2a892d70a50bc30371286bd414a7f80b5b0da8b024742fcc72a2256c8a9225d7eeaa168b2c68a3c4a408

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad4d82f3-d68b-416f-88da-16a4afad5c0c.vbs

Filesize
736B

MD5
ecaf3137b65e94e73d0368da9f7f5805

SHA1
c849cd5da5e10f4d89518acb54aac9acb58b9c6f

SHA256
6e29fcaa5fe1cc6768dd2fa70237c253ca840ecc941a36ba8bd14debea764b3b

SHA512
d1a2b127492325435c04a3861d439e869165fb011dd66f42f9edd716f28a09f3816ff74b815d30bf16d3fc553c36a11adc6f6ec4ace7f15bdc5bfbad8e5d7f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\c75d1962-6a71-4c89-b501-5da9d091c3a8.vbs

Filesize
736B

MD5
f8109faf37398d8cad42b488d3fa09b3

SHA1
5e8b4b8986ddf9cb0e72f34be5206c1b628b42a0

SHA256
266c7883c8d7f95d880732a971ded040a6baee74bdd3d7e98fe3f38467930b06

SHA512
f174b9bc5e1e13051d3cbd5b612adc5deb3b7a04b857f699804b822a3442e1229c08b8ab275d73d7f97777d40814470963d0354c0003afabc660ab67bf71a41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbb0d9a1-623a-4e31-8b80-5f9cb71bb3e9.vbs

Filesize
736B

MD5
e31fc97e8b6356b0366d803fafb2fa7c

SHA1
dc727962e0bbff2cba174a560109a257fe6f9062

SHA256
72f5a51622b05388a1a2fd235e4c38b1afedf56921204f98d5fc0ae025f8daeb

SHA512
8e1f1f3005fb8f7e30da05b317264dbf5a4bc65bbd6631dd15880643cf538355d340a083a4bb89d70430bf918308311cb9badcda99beea4a4e0e270ff6445a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\d64f68ce-fcc3-4e67-915f-f1e38b6695ba.vbs

Filesize
736B

MD5
59231be86b02c95b5cc89eb83f362eea

SHA1
9ae165daf252eb429363b3ba04bd61e330c75dac

SHA256
58e4fe36d08d7274f5490dec88800dd8207535e75466d37a4686d7f9fb454523

SHA512
e4b9ecb30772acda9b85231eb4569c56c9ddf1023c79c235d138092641492c31d71e9bdaf9c8d4fa2ff1a8720f4b7e48943d11f771c87182641089ea587214c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e365c087-f4aa-4df6-b50f-d44eb7787109.vbs

Filesize
736B

MD5
e9793214d9e093eb2df51bf8814bf9d0

SHA1
3dec6ef9502f061da59fa8124a4e967855dd258e

SHA256
469e5ad9ff01021efab35f3ffbab2042e63d0a8688b61ede7b2016dfc788271f

SHA512
f594a7ec0801c59aadfb5353709b2c4e79e41e0f712183e610122fde10b000afcc29ff6dc51041920ca8168410474c2050420c81c3b42004c1bbc04093679872

Download Submit
C:\Users\Admin\AppData\Local\Temp\f112c026-da0b-4925-9526-13da15879739.vbs

Filesize
736B

MD5
7967f522f970bb2bdfcd9816e572d030

SHA1
d185b878bd2892b827545bdd808d0279c9106ba0

SHA256
0227bfd99f22be194f0aadebfdbe044f9b3c7d932de9a2cedb77d61ac61dcacb

SHA512
73d48d8c4f33865316f94d6eba5b1177892d7a2617e285771380c0d4d58f3e4aeb5ad377d4b2ade1a9e9a86ecdac834661ad378481af0701d7db9ad2f0796718

Download Submit
C:\Users\Admin\AppData\Local\Temp\fab3dc2e-6ca0-45c6-9f4b-5e12288bf5d5.vbs

Filesize
736B

MD5
f343e34843d4b1b7b365647925bfca06

SHA1
feb582d4edac06f408805819f914ad6e1cc8ab21

SHA256
f29888a8774d7f8f1066c2b55480007249a67b2ae9f96d425aeaa8ea26878f52

SHA512
4a8e3cff7a29954b486ed8ae0d07b98b77385044107136851130fadba6abc746f8c1e8ac538cdf7fbef7bc003596dd3ea7447faf29d4afffc4fdca2395dd188c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C11.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e464c701c48d16e9233aa1cb0eb5801

SHA1
958127afe40abc1f92b9becfa352ea968e975ade

SHA256
63d671956a7869bd4443c6b238e61c42155e7606efa8d913a282774af73cbccb

SHA512
70d9b5d825dd8eaa4b6e277a5a219adfd44c37b9b766ced709951279d0b3ecc2d36261707d63c07d9985744e911e7f38225fa5854e41d18bcea112a4d0136c18

Download Submit
memory/340-111-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1372-110-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1632-181-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/2000-197-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/2000-196-0x0000000000020000-0x0000000000514000-memory.dmp

Filesize
5.0MB

Download
memory/2044-344-0x0000000000B30000-0x0000000001024000-memory.dmp

Filesize
5.0MB

Download
memory/2108-329-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/2132-269-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2232-212-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download
memory/2656-284-0x00000000001C0000-0x00000000006B4000-memory.dmp

Filesize
5.0MB

Download
memory/2748-167-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2748-132-0x0000000000E80000-0x0000000001374000-memory.dmp

Filesize
5.0MB

Download
memory/2856-9-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2856-3-0x000000001B730000-0x000000001B85E000-memory.dmp

Filesize
1.2MB

Download
memory/2856-15-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2856-16-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2856-14-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2856-13-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2856-12-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2856-8-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2856-1-0x0000000000BE0000-0x00000000010D4000-memory.dmp

Filesize
5.0MB

Download
memory/2856-134-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-11-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2856-7-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/2856-6-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2856-10-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2856-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-5-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2856-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2856-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download
memory/2884-300-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/2884-299-0x0000000000C90000-0x0000000001184000-memory.dmp

Filesize
5.0MB

Download