dcrat | 7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Size

4.9MB
MD5

0f810e60bd97e1197c9243549d36d0b0
SHA1

ad185690f90853a15eae667f6ca3f68031ce5764
SHA256

7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4
SHA512

4277e074e50e9b46f2bde6f1565569f2ffc3f20f275ef8fb24a5a457d18633531d322b39380d24ee9c118e1e714dcce4f8d4c969ea331455f5f85e9db13052e3
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	3004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3004	schtasks.exe	30

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2112-3-0x000000001B450000-0x000000001B57E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1984	powershell.exe
2936	powershell.exe
1480	powershell.exe
1120	powershell.exe
1736	powershell.exe
1144	powershell.exe
1340	powershell.exe
2940	powershell.exe
2892	powershell.exe
2104	powershell.exe
1576	powershell.exe
2708	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2068	audiodg.exe
1212	audiodg.exe
2576	audiodg.exe
836	audiodg.exe
2836	audiodg.exe
952	audiodg.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\System.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\wininit.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\56085415360792	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCXCD4A.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXD3C2.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXB888.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\42af1c969fbb7b	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files\Uninstall Information\System.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXCB46.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\wininit.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCXBD6B.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\Downloaded Program Files\winlogon.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXD5C6.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXBF6F.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\cc11b995f2a76d	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\Downloaded Program Files\winlogon.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\Downloaded Program Files\cc11b995f2a76d	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\LiveKernelReports\0001cd3dfe7b3b	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
1988	schtasks.exe
2856	schtasks.exe
2224	schtasks.exe
2660	schtasks.exe
576	schtasks.exe
3036	schtasks.exe
1632	schtasks.exe
308	schtasks.exe
2764	schtasks.exe
3000	schtasks.exe
2428	schtasks.exe
2976	schtasks.exe
988	schtasks.exe
2524	schtasks.exe
1552	schtasks.exe
2540	schtasks.exe
2384	schtasks.exe
2624	schtasks.exe
2600	schtasks.exe
2616	schtasks.exe
2288	schtasks.exe
1112	schtasks.exe
2144	schtasks.exe
1952	schtasks.exe
2908	schtasks.exe
2760	schtasks.exe
768	schtasks.exe
2812	schtasks.exe
2128	schtasks.exe
836	schtasks.exe
1868	schtasks.exe
1108	schtasks.exe
2704	schtasks.exe
904	schtasks.exe
1280	schtasks.exe
2780	schtasks.exe
684	schtasks.exe
1636	schtasks.exe
2096	schtasks.exe
448	schtasks.exe
1204	schtasks.exe
2732	schtasks.exe
2808	schtasks.exe
2376	schtasks.exe
1792	schtasks.exe
1536	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
1144	powershell.exe
2708	powershell.exe
1736	powershell.exe
1340	powershell.exe
1480	powershell.exe
1576	powershell.exe
1984	powershell.exe
2940	powershell.exe
2104	powershell.exe
2892	powershell.exe
2936	powershell.exe
1120	powershell.exe
2068	audiodg.exe
1212	audiodg.exe
2576	audiodg.exe
836	audiodg.exe
2836	audiodg.exe
952	audiodg.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2068	audiodg.exe
Token: SeDebugPrivilege	1212	audiodg.exe
Token: SeDebugPrivilege	2576	audiodg.exe
Token: SeDebugPrivilege	836	audiodg.exe
Token: SeDebugPrivilege	2836	audiodg.exe
Token: SeDebugPrivilege	952	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1340	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	80
PID 2112 wrote to memory of 1340	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	80
PID 2112 wrote to memory of 1340	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	80
PID 2112 wrote to memory of 1144	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	81
PID 2112 wrote to memory of 1144	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	81
PID 2112 wrote to memory of 1144	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	81
PID 2112 wrote to memory of 1736	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	82
PID 2112 wrote to memory of 1736	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	82
PID 2112 wrote to memory of 1736	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	82
PID 2112 wrote to memory of 2708	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	83
PID 2112 wrote to memory of 2708	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	83
PID 2112 wrote to memory of 2708	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	83
PID 2112 wrote to memory of 1576	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	85
PID 2112 wrote to memory of 1576	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	85
PID 2112 wrote to memory of 1576	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	85
PID 2112 wrote to memory of 2104	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	86
PID 2112 wrote to memory of 2104	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	86
PID 2112 wrote to memory of 2104	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	86
PID 2112 wrote to memory of 2892	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	87
PID 2112 wrote to memory of 2892	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	87
PID 2112 wrote to memory of 2892	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	87
PID 2112 wrote to memory of 1120	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	90
PID 2112 wrote to memory of 1120	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	90
PID 2112 wrote to memory of 1120	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	90
PID 2112 wrote to memory of 1480	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	91
PID 2112 wrote to memory of 1480	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	91
PID 2112 wrote to memory of 1480	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	91
PID 2112 wrote to memory of 2936	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	94
PID 2112 wrote to memory of 2936	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	94
PID 2112 wrote to memory of 2936	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	94
PID 2112 wrote to memory of 1984	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	95
PID 2112 wrote to memory of 1984	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	95
PID 2112 wrote to memory of 1984	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	95
PID 2112 wrote to memory of 2940	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	96
PID 2112 wrote to memory of 2940	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	96
PID 2112 wrote to memory of 2940	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	96
PID 2112 wrote to memory of 2068	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	104
PID 2112 wrote to memory of 2068	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	104
PID 2112 wrote to memory of 2068	2112	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	104
PID 2068 wrote to memory of 2752	2068	audiodg.exe	105
PID 2068 wrote to memory of 2752	2068	audiodg.exe	105
PID 2068 wrote to memory of 2752	2068	audiodg.exe	105
PID 2068 wrote to memory of 2716	2068	audiodg.exe	106
PID 2068 wrote to memory of 2716	2068	audiodg.exe	106
PID 2068 wrote to memory of 2716	2068	audiodg.exe	106
PID 2752 wrote to memory of 1212	2752	WScript.exe	107
PID 2752 wrote to memory of 1212	2752	WScript.exe	107
PID 2752 wrote to memory of 1212	2752	WScript.exe	107
PID 1212 wrote to memory of 1056	1212	audiodg.exe	108
PID 1212 wrote to memory of 1056	1212	audiodg.exe	108
PID 1212 wrote to memory of 1056	1212	audiodg.exe	108
PID 1212 wrote to memory of 1208	1212	audiodg.exe	109
PID 1212 wrote to memory of 1208	1212	audiodg.exe	109
PID 1212 wrote to memory of 1208	1212	audiodg.exe	109
PID 1056 wrote to memory of 2576	1056	WScript.exe	110
PID 1056 wrote to memory of 2576	1056	WScript.exe	110
PID 1056 wrote to memory of 2576	1056	WScript.exe	110
PID 2576 wrote to memory of 2524	2576	audiodg.exe	111
PID 2576 wrote to memory of 2524	2576	audiodg.exe	111
PID 2576 wrote to memory of 2524	2576	audiodg.exe	111
PID 2576 wrote to memory of 2280	2576	audiodg.exe	112
PID 2576 wrote to memory of 2280	2576	audiodg.exe	112
PID 2576 wrote to memory of 2280	2576	audiodg.exe	112
PID 2524 wrote to memory of 836	2524	WScript.exe	113

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
"C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
  "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2068
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ed5967-22db-4bfa-bc7b-2db98b3c2e45.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
      C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1212
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633690a0-454f-4e86-9f10-a9a0e35b3ef0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ee59cee-53f2-4ef7-97c2-169fb390b514.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f8ac9c5-0964-4c0f-b635-b8901a7268f7.vbs"
        9⤵
        
        PID:2432
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f8a5bc-1cda-455a-9410-71db6582d686.vbs"
        11⤵
        
        PID:988
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86eb578a-594e-4e30-87f3-66cac2cb09c4.vbs"
        13⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69baab7a-869c-4099-a750-2e0cae68dc31.vbs"
        13⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f187bc-c9a3-469d-994a-c734220a3175.vbs"
        11⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2757b2e0-5145-4d50-99b5-88bce2fecbd6.vbs"
        9⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03c6e9c6-331d-4d9f-9214-53de40310145.vbs"
        7⤵
        
        PID:2280
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22016fb9-c982-4c1b-8943-0377196c4f99.vbs"
        5⤵
        
        PID:1208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dad0acac-24d9-4c8d-8aa0-0fe11bfa2c9b.vbs"
    3⤵
    PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N7" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N7" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dwm.exe

Filesize
4.9MB

MD5
92fc0a8e12ad7b605214c8984918f120

SHA1
1970a99d4ea49262ad2511e0fad4fb6acf19d982

SHA256
0efb7fbdcdb11efc0cf26e379d12e5a5decfca4a2ea369d19a0631ac3d378269

SHA512
fbaa97de25e173e88a43aa1de4b13d299da4caffe8473bb5a207d72beb146b2884fef8d7b9744e2e02ad3ffcb020121bc270a47ade8148efff5addc38eaa5e44

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe

Filesize
4.9MB

MD5
9ddce935687c32a87452e53dc57b6a0c

SHA1
90f06d9f756cdefa86c67a9416d5462ff4629fb4

SHA256
8080f99bd2bf5841cf814e0daa98ed19a3b131ae0da57ef11a8c31c5c264bf0f

SHA512
741eb832791ce97f9f71a26157728783dc9ba7d7782bdbdae281fb06be660da7fbd5b5bb36a9712e9975efa29804dffe23cb2f95e6f61d1140643eaae7ecdb56

Download Submit
C:\Users\Admin\AppData\Local\Temp\07f8a5bc-1cda-455a-9410-71db6582d686.vbs

Filesize
736B

MD5
6b079e5dcddc076c63e291b010b60469

SHA1
f66aa1487d6977f4f4a6f9e5c7cb16c03461399c

SHA256
35df87099d734614d7dbc6887e5b2390babeee985b70c1ebbe657f13a84b7ee5

SHA512
25496242753b84e44a4b42fd4f0df3ae3bcd7ebc588f43b12d7eb2ab55689fdea9a3121ee3ae3c4708a03f66282e66fb2f04ae48daf003e0fa77058b0f554595

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee59cee-53f2-4ef7-97c2-169fb390b514.vbs

Filesize
736B

MD5
f6de270030c59be3feb2f492df4372c2

SHA1
46eb1ed45b6999c2f5c841b279cf84e725b7ca71

SHA256
bb83ff8d9907b0c9e1c4024b908a50c685bd941d36e581259b3851e7e6e4cb52

SHA512
f433f6731a3b123c9e40d3157f8132dfc98d84e858fd4543984e4585409e568b188b8aea01a137a01f2fe54ed87aabfe704b27392ce71cd70c60cb03a2099f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ed5967-22db-4bfa-bc7b-2db98b3c2e45.vbs

Filesize
736B

MD5
7fbffa4748a3011ea7b2bcaf02d2c367

SHA1
b538cb0b21962ceb0a80014981071fd90330a017

SHA256
52ae940829912a3b048dec4923e47b555e3ad78180795f4b9ebaac7ba9eb830b

SHA512
5fee43b0139cfa15045472bc5a642f8a7a0fad3b366d27a98e25408fe3f301018183ec4aef25a1e75dbdc09477dda075c6f7da199c80d87ae1a036fd7c5ab279

Download Submit
C:\Users\Admin\AppData\Local\Temp\633690a0-454f-4e86-9f10-a9a0e35b3ef0.vbs

Filesize
736B

MD5
0053574ebbbcea3d968368c21c3a5507

SHA1
2e1eb36222763fdb4c7e0bbf4d7a2d3fb8a58aca

SHA256
6864cb8225dac934d248e039d2b77fb836d3a031528b702dc5b1aa0b66659588

SHA512
3b45c2e0c52d8d64078ace691b5c4b49dc93876ede9c3af1e6b2210e2ef23f18b98a2dbb1523cea4c8d81b75da8ca0c4811ae0fc3e12bd5b2210a7b0568ce22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\86eb578a-594e-4e30-87f3-66cac2cb09c4.vbs

Filesize
735B

MD5
bab9a00f1a2f38c7f8a9be26b55cffad

SHA1
05a48f2f6ad7850114840545f4c307276484b509

SHA256
e98b54740a316a37b25de116f10ede05f63009f944c1d39ef30710f310773faa

SHA512
52a690f4ba1b07756399d2aea9cf18fbd6cb2ed0cb202c592bb563cdf6a6777b8f7079f17b1a07b44c229e865619e28e50e21d569750ab85a2037a29c55e8ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f8ac9c5-0964-4c0f-b635-b8901a7268f7.vbs

Filesize
735B

MD5
3f8a48614713fc5fc46affeb4240176f

SHA1
4e50354d71fd3b1b0ef1e75eb39a5df49a64e93d

SHA256
62d439f478a65849b8b579f2c6c730b4f677b14564bfdb82591c9d6af45c336c

SHA512
3c413b7e3bc31aa72b1f2a0451385b3cf7df96cc841da91555c7a4e5efc7331a86a54599b87dd068def06f8fc012d2071a84c44b1fdf28155c27ff89d2e9c08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dad0acac-24d9-4c8d-8aa0-0fe11bfa2c9b.vbs

Filesize
512B

MD5
7d2db8ea4db845a2a0e445232fb6c883

SHA1
e678bfc425615b9a6c91a95aa1dac7d08697ae8d

SHA256
cbecc1549b7a5cd986314a11ac094414521b17fc43a4de7df41368b6929c8fbe

SHA512
c20bc3d49611516e4b9979ee8bbc44eb35f68109d28adc1abf452d91719eda82d8910e1f3d684fc744eacf9fe08d12ddc9ede115ae8204b7cf7160359dddafa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDB9.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99a497b39e908b8ef0fb786815e51603

SHA1
00a6741780ac4c7f6e30cff1eb29987aa730989b

SHA256
8254abbd97f15527fd719e73fcd0c9d5a8d496a410d5d3d35d49706b2bc6a7a6

SHA512
3939cc589082211ba2ea966ac93055482e9396558643cbd4a6fcf076507a8aea27a8c9630ed6b3cdc2bedf1827d1e78e4530d4a8b40109378b84d93246b31de4

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
4.9MB

MD5
dd8b854aaba64daa2840bff1a8575ee9

SHA1
9a7a01f4741928a66cd7b4fc40d99dc14147f7b2

SHA256
63181680e1e83afa14e116b2f1af4742e87701508e2537ee6525d88f606f4e44

SHA512
4b45a3e625e395da94720724bbdffa6037b50f32400f8b227f656de256a7ec2d52aefdd9b48ee94efab84e3fd65b146dc93c27f269de988283fbc65dec3d9a0c

Download Submit
C:\Users\Admin\Saved Games\RCXD1BF.tmp

Filesize
4.9MB

MD5
5ec5944c75c9592ab476f3d46b95fd2b

SHA1
de980131cfab0578240079d90e67ea1fbe69fbc8

SHA256
de01fa3da110649647f54905b1952c41bdeee1467e926f0a313a1b1de92bf461

SHA512
b79ce58c5bf3a3ae691480ebf263e652364e6b8f331bdab81cbf17a6c8151bbb13ecd20df509aef831917c585f3943609223097764fa37dfb733105350a85aff

Download Submit
C:\Windows\Downloaded Program Files\winlogon.exe

Filesize
4.9MB

MD5
0f810e60bd97e1197c9243549d36d0b0

SHA1
ad185690f90853a15eae667f6ca3f68031ce5764

SHA256
7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4

SHA512
4277e074e50e9b46f2bde6f1565569f2ffc3f20f275ef8fb24a5a457d18633531d322b39380d24ee9c118e1e714dcce4f8d4c969ea331455f5f85e9db13052e3

Download Submit
memory/836-271-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/952-300-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/1144-178-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1144-177-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1212-240-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/2068-191-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/2112-0-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download
memory/2112-6-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2112-11-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/2112-10-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/2112-9-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/2112-179-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-13-0x0000000000D60000-0x0000000000D6E000-memory.dmp

Filesize
56KB

Download
memory/2112-130-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download
memory/2112-12-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/2112-7-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/2112-8-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/2112-145-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-16-0x0000000002430000-0x000000000243C000-memory.dmp

Filesize
48KB

Download
memory/2112-5-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/2112-1-0x0000000000310000-0x0000000000804000-memory.dmp

Filesize
5.0MB

Download
memory/2112-14-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2112-4-0x0000000000810000-0x000000000082C000-memory.dmp

Filesize
112KB

Download
memory/2112-15-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2112-3-0x000000001B450000-0x000000001B57E000-memory.dmp

Filesize
1.2MB

Download
memory/2112-2-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-256-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/2576-255-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download