dcrat | 85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62c

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Size

4.9MB
MD5

5be41c7ee0a83c4e3be16eec0584ebf0
SHA1

5dcd33a9b54d087cf612da502b9f3ce055aee5a0
SHA256

85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62c
SHA512

24f106fc859a9fc70c4715e27100dbb4b4eafbe5737d4e17ed51736aeee2e7a6c0dc4928b919104e7ea3150eca2aacd21257c547bdf111c2c872840b37621a85
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2108	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2108	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/868-3-0x000000001B6B0000-0x000000001B7DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
1088	powershell.exe
1108	powershell.exe
2440	powershell.exe
2612	powershell.exe
2624	powershell.exe
2588	powershell.exe
2608	powershell.exe
2988	powershell.exe
2976	powershell.exe
1008	powershell.exe
1052	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1996	audiodg.exe
1264	audiodg.exe
3032	audiodg.exe
2520	audiodg.exe
868	audiodg.exe
996	audiodg.exe
2004	audiodg.exe
980	audiodg.exe
800	audiodg.exe
2672	audiodg.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2764	schtasks.exe
2744	schtasks.exe
2892	schtasks.exe
2816	schtasks.exe
2768	schtasks.exe
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
2624	powershell.exe
2612	powershell.exe
1052	powershell.exe
2588	powershell.exe
2988	powershell.exe
1088	powershell.exe
2608	powershell.exe
2976	powershell.exe
1108	powershell.exe
2440	powershell.exe
1008	powershell.exe
2984	powershell.exe
1996	audiodg.exe
1264	audiodg.exe
3032	audiodg.exe
2520	audiodg.exe
868	audiodg.exe
996	audiodg.exe
2004	audiodg.exe
980	audiodg.exe
800	audiodg.exe
2672	audiodg.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1996	audiodg.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1264	audiodg.exe
Token: SeDebugPrivilege	3032	audiodg.exe
Token: SeDebugPrivilege	2520	audiodg.exe
Token: SeDebugPrivilege	868	audiodg.exe
Token: SeDebugPrivilege	996	audiodg.exe
Token: SeDebugPrivilege	2004	audiodg.exe
Token: SeDebugPrivilege	980	audiodg.exe
Token: SeDebugPrivilege	800	audiodg.exe
Token: SeDebugPrivilege	2672	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2588	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	38
PID 868 wrote to memory of 2588	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	38
PID 868 wrote to memory of 2588	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	38
PID 868 wrote to memory of 2608	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	39
PID 868 wrote to memory of 2608	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	39
PID 868 wrote to memory of 2608	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	39
PID 868 wrote to memory of 2624	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	40
PID 868 wrote to memory of 2624	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	40
PID 868 wrote to memory of 2624	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	40
PID 868 wrote to memory of 2612	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	43
PID 868 wrote to memory of 2612	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	43
PID 868 wrote to memory of 2612	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	43
PID 868 wrote to memory of 2976	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	44
PID 868 wrote to memory of 2976	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	44
PID 868 wrote to memory of 2976	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	44
PID 868 wrote to memory of 2440	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	45
PID 868 wrote to memory of 2440	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	45
PID 868 wrote to memory of 2440	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	45
PID 868 wrote to memory of 2984	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	46
PID 868 wrote to memory of 2984	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	46
PID 868 wrote to memory of 2984	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	46
PID 868 wrote to memory of 2988	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	47
PID 868 wrote to memory of 2988	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	47
PID 868 wrote to memory of 2988	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	47
PID 868 wrote to memory of 1052	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	48
PID 868 wrote to memory of 1052	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	48
PID 868 wrote to memory of 1052	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	48
PID 868 wrote to memory of 1108	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	49
PID 868 wrote to memory of 1108	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	49
PID 868 wrote to memory of 1108	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	49
PID 868 wrote to memory of 1008	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	50
PID 868 wrote to memory of 1008	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	50
PID 868 wrote to memory of 1008	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	50
PID 868 wrote to memory of 1088	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	51
PID 868 wrote to memory of 1088	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	51
PID 868 wrote to memory of 1088	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	51
PID 868 wrote to memory of 1996	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	62
PID 868 wrote to memory of 1996	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	62
PID 868 wrote to memory of 1996	868	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe	62
PID 1996 wrote to memory of 2664	1996	audiodg.exe	63
PID 1996 wrote to memory of 2664	1996	audiodg.exe	63
PID 1996 wrote to memory of 2664	1996	audiodg.exe	63
PID 1996 wrote to memory of 2784	1996	audiodg.exe	64
PID 1996 wrote to memory of 2784	1996	audiodg.exe	64
PID 1996 wrote to memory of 2784	1996	audiodg.exe	64
PID 2664 wrote to memory of 1264	2664	WScript.exe	65
PID 2664 wrote to memory of 1264	2664	WScript.exe	65
PID 2664 wrote to memory of 1264	2664	WScript.exe	65
PID 1264 wrote to memory of 864	1264	audiodg.exe	66
PID 1264 wrote to memory of 864	1264	audiodg.exe	66
PID 1264 wrote to memory of 864	1264	audiodg.exe	66
PID 1264 wrote to memory of 272	1264	audiodg.exe	67
PID 1264 wrote to memory of 272	1264	audiodg.exe	67
PID 1264 wrote to memory of 272	1264	audiodg.exe	67
PID 864 wrote to memory of 3032	864	WScript.exe	68
PID 864 wrote to memory of 3032	864	WScript.exe	68
PID 864 wrote to memory of 3032	864	WScript.exe	68
PID 3032 wrote to memory of 1152	3032	audiodg.exe	69
PID 3032 wrote to memory of 1152	3032	audiodg.exe	69
PID 3032 wrote to memory of 1152	3032	audiodg.exe	69
PID 3032 wrote to memory of 1896	3032	audiodg.exe	70
PID 3032 wrote to memory of 1896	3032	audiodg.exe	70
PID 3032 wrote to memory of 1896	3032	audiodg.exe	70
PID 1152 wrote to memory of 2520	1152	WScript.exe	71

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe
"C:\Users\Admin\AppData\Local\Temp\85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62cN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Users\Admin\Music\audiodg.exe
  "C:\Users\Admin\Music\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf501bc-6182-409b-b482-3e8138246bd7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\Music\audiodg.exe
      C:\Users\Admin\Music\audiodg.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1264
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b07ed07a-8be5-4387-a480-86c88dfe57a6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31d6af39-eb31-4df4-9694-b81ce2bfc5d3.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c54e0ff6-3d1c-4b00-bf33-e30ffb20b6e1.vbs"
        9⤵
        
        PID:1792
        
        C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8563f3cc-d209-4900-b099-a38d76781978.vbs"
        11⤵
        
        PID:2332
        
        C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc236e47-79ae-4f89-bc12-a1dc195f5255.vbs"
        13⤵
        
        PID:2104
        
        C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4e9d83b-95c6-403c-95e4-44e71b3cbc19.vbs"
        15⤵
        
        PID:2180
        
        C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\809edc55-320b-4041-8947-4b2d087db93f.vbs"
        17⤵
        
        PID:2136
        
        C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c30eb80-b06f-41a7-a697-ecf383ffd530.vbs"
        19⤵
        
        PID:1920
        
        C:\Users\Admin\Music\audiodg.exe
        
        C:\Users\Admin\Music\audiodg.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6a74be9-1091-4aa2-831e-bf3f99145d9e.vbs"
        21⤵
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2fdf1f-9f86-4706-b7e2-2d3d9652150e.vbs"
        21⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e787ea-24e9-4f20-a884-ff89d5a9cd41.vbs"
        19⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9598b5cb-ea80-45f5-9866-fee5509f31da.vbs"
        17⤵
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f599ba15-bdac-4dac-8782-cff7b69fa393.vbs"
        15⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b30836-b92b-439d-ab74-afbc38057618.vbs"
        13⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d7692f5-7521-4a1f-a9b5-f67f189a1e74.vbs"
        11⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e976ed-7825-44d8-9b12-d92d2427461f.vbs"
        9⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34c642f6-8670-4449-bbf2-5892ca374b3b.vbs"
        7⤵
        
        PID:1896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcf68c1-fb20-4945-903b-71b02fefe21c.vbs"
        5⤵
        
        PID:272
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f2d856c-ed51-4db4-9464-5db117411231.vbs"
    3⤵
    PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c30eb80-b06f-41a7-a697-ecf383ffd530.vbs

Filesize
707B

MD5
f6b21dc1364ab807d99d7c9f0f3db444

SHA1
5a78858653e04b0e7aea95f1b4bc30d5b8501e1b

SHA256
59b7fbbfb9213412d980008de58f298bcac4cf1745e63468c2b2aeb3f24f0b08

SHA512
618460d9d253f004da63a038e9882481b4debcfeec5d320def3ab6c08b4fcf4699bfbd508413522f0d57f060c296c3a029dbfa15b26a6e508bc298430f00321a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bf501bc-6182-409b-b482-3e8138246bd7.vbs

Filesize
708B

MD5
549a1494e4ca016d20ee3abea19fa666

SHA1
760aff0a6d0b4c0e54b112f0837e8e77744ff523

SHA256
463f5a79243e0b5e1f588bba2cb638e6a1d662329ed4e380a0e125f0c245412d

SHA512
e450d880592619d137334c115ac70765cdf43aff86cfc9e3610f1ada60c3c3ef86f517f34de6dca4674189fe555c55cb8724297d7805149692f716f51c9053f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31d6af39-eb31-4df4-9694-b81ce2bfc5d3.vbs

Filesize
708B

MD5
0e6afbcfe37e1a9ccd3b7cea8f2e0278

SHA1
c38430afab05aa4e4dc9c42872e61a32a08960c3

SHA256
1983306136819ec342fdea19544d5252194ee688e64abd8b1a0d38bcc8d70f41

SHA512
e3e4213b8903b8fabef7e1700a8d8ff6e2c459686b1a4ee3688abb295fa428488ba47753558ea5ef330d6ed99e4d30fc38476574f1435313a0057143e0dd1b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f2d856c-ed51-4db4-9464-5db117411231.vbs

Filesize
484B

MD5
9df82cca893f0c0a4532025aebf18a02

SHA1
631030daba7f46aec8770f4bc72771be4e649bba

SHA256
a6808536d9aa1686346176188efde236c956c39eb0e69ae10f47a73e7005497f

SHA512
d56591e357529d1f44af6071e209c4e2cc5a785ada1143df9431f5b0ebcdf72e7c0c02a6f20528aa90b318c2d8cbad03d897c659dea52e7800ce25cde34b89d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\809edc55-320b-4041-8947-4b2d087db93f.vbs

Filesize
707B

MD5
ae0c3b2842873370bc3b11c16fcc540d

SHA1
04c8d9780239a90235140908c453342cb7de7be7

SHA256
9c73e45ef42422c157f78f5b6f278b3fead928e122848cb2c0cff21f9a68b1e2

SHA512
a82b151ef757ae7d601996e712938fb278e4a6d1dffec9e24bec9f5f6e8f1ea75adb2806d4cb455bd91434c630173164940fca913dbfd84a81ca186f70e762e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8563f3cc-d209-4900-b099-a38d76781978.vbs

Filesize
707B

MD5
8e059d02f2ccc3d06fc19a1af5b7049d

SHA1
d799bb38811a1feacc419bbd44e70e6f8ad5b375

SHA256
cf38239e21cf4b2fb5d9b175558883217f1eb6c8b2e8c0e110f501fd2523a148

SHA512
eefc826261c5c714591ec7221ef490d69624ef85e99cb4cedf6e3196092f3e420aa377223f7ca862df365497d5b2581cdb5666ad771bef426ad93e8ea1057143

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e9d83b-95c6-403c-95e4-44e71b3cbc19.vbs

Filesize
708B

MD5
4fa796a2a868a1fb924a6900fcd19c5b

SHA1
5433e09d698ed84408e1aec06ddceee0ed7c9bc6

SHA256
97e2e292f9fa35912867919ba4d5f5479b924a4bda155e859e25d7ec0a569971

SHA512
923fae45abb7381133aaa1e1469d4c841378153757f2ad15f2ab75caa735a993d25aabeccbfc8c39ca4c9ca634bef2d7bb7c92e94bd6eba6777a635e42ebf776

Download Submit
C:\Users\Admin\AppData\Local\Temp\b07ed07a-8be5-4387-a480-86c88dfe57a6.vbs

Filesize
708B

MD5
c075dbfeaad045618f0774f0d5d89d54

SHA1
e0b986ae1ac6d579bcd32bc8f38a237084ba92e7

SHA256
dd6ebc233ba2b8e25dac9505c00a8f09c36f394de6d50968fc305341cf3575e6

SHA512
16530365c7b28894beab72965f1a4845075cce16167f6b3116e71a63bb5c98ba0b8812dd8157a0e00075e30d3e1c5e039566c2d8c3b1c7276e6f54755f71cfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c54e0ff6-3d1c-4b00-bf33-e30ffb20b6e1.vbs

Filesize
708B

MD5
e97ecdd5885df288698cc172dea259dd

SHA1
920048d80db47556db73794546b1304c70fc7878

SHA256
98a4cdcdb4091096abd1d566f69d0aabbe9566912fc34f606b7d39ddd442cb8b

SHA512
defa51ae0972f8be189bfbbe414537b235f3312f9b983c7de843a807f88b10f3c2fec78c6d0d227bd0d337287698dc1b597cd2792445fddebd40bd43f95e7dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6a74be9-1091-4aa2-831e-bf3f99145d9e.vbs

Filesize
708B

MD5
f7dbd6c288c33e69e32ecfb82195caac

SHA1
50842da7f0bf8f87e6ab8c1b80c5f512cb556037

SHA256
bbc765006404ed15676548cbd0b828585e5938519cedc5f2c9ba57999d61d679

SHA512
29578598989fa0121c92e4ab5b3894402dbbc1030c0fea2689e7d7c5c887e5767f766cfffe33674b119c992ba084f9e7a7b9ef76ae807a7c557d1d5b6e943d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc236e47-79ae-4f89-bc12-a1dc195f5255.vbs

Filesize
707B

MD5
a9fdd1d201da57a3c205a3ec943a1fa8

SHA1
d1bfbee22ae217e0c56aca3a65748e2503c9ad98

SHA256
be28e7e57e85fb67f8477be59709e2ef423a263f1f3d0b434623ab6f873362d8

SHA512
65c94f74f15b2f79e297873fa4b6e1d6b3156aaf1a88b447986d02c29a704f842146b9c6441dbec049ad8abb821eeb67fa8dc55f82ca10c17159fdd2f3f7f398

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFC2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7baf3fcf88531306c0d7497d4bf87a6a

SHA1
af2b511f665c855767f4baf719b0854765da913d

SHA256
4a6b6390cf431e2263024bb463c37bd1adecaec572339c495b16908033491a2d

SHA512
2f406ff3f795c3764a6a3ec3322c06488f5957bd8fa3328816e2b394f064915c963a9b290c1dcfd170e6ab8c59fdfd0ac5f49d4ee537ef2e791111c2e319898c

Download Submit
C:\Users\Admin\Music\audiodg.exe

Filesize
4.9MB

MD5
5be41c7ee0a83c4e3be16eec0584ebf0

SHA1
5dcd33a9b54d087cf612da502b9f3ce055aee5a0

SHA256
85f00aaec0edca1b176e93ad542a4bc8c27b09ee77b883b31de64ca38fd2f62c

SHA512
24f106fc859a9fc70c4715e27100dbb4b4eafbe5737d4e17ed51736aeee2e7a6c0dc4928b919104e7ea3150eca2aacd21257c547bdf111c2c872840b37621a85

Download Submit
memory/868-9-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/868-8-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/868-16-0x000000001AAB0000-0x000000001AABC000-memory.dmp

Filesize
48KB

Download
memory/868-14-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/868-1-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/868-13-0x0000000002470000-0x000000000247E000-memory.dmp

Filesize
56KB

Download
memory/868-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/868-3-0x000000001B6B0000-0x000000001B7DE000-memory.dmp

Filesize
1.2MB

Download
memory/868-98-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/868-4-0x0000000000920000-0x000000000093C000-memory.dmp

Filesize
112KB

Download
memory/868-5-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/868-12-0x0000000002460000-0x000000000246E000-memory.dmp

Filesize
56KB

Download
memory/868-11-0x0000000002450000-0x000000000245A000-memory.dmp

Filesize
40KB

Download
memory/868-10-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/868-6-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/868-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/868-15-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/868-7-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/1008-109-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1264-123-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1996-83-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/2440-57-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2624-64-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download
memory/2984-105-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download