dcrat | 8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Size

4.9MB
MD5

c62cd7e55437ae4873f4cc2e98d87ccb
SHA1

99a5dc009e586ebb83f324c03f1729dad34ee031
SHA256

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77
SHA512

497d6ed88c05e7b689f2fd8a00c92a652fd1f31edacf0b69edef0adb2f250509a1aee00beb4d6496021dd4aeb1b015b63ad6c70a5bf76466fd4104d1ee17754c
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8B:J

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2180	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2168-2-0x000000001B400000-0x000000001B52E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1692	powershell.exe
1820	powershell.exe
2456	powershell.exe
2484	powershell.exe
372	powershell.exe
1584	powershell.exe
1608	powershell.exe
600	powershell.exe
784	powershell.exe
2268	powershell.exe
2240	powershell.exe
1816	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid	Process
2836	audiodg.exe
1092	audiodg.exe
2380	audiodg.exe
1204	audiodg.exe
2728	audiodg.exe
2084	audiodg.exe
2648	audiodg.exe
676	audiodg.exe
2520	audiodg.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Drops file in Program Files directory 8 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\f3b6ecef712a24	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\7-Zip\RCXC4AF.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files\7-Zip\services.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCXC8B7.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\spoolsv.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\7-Zip\services.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files\7-Zip\c5b4cb5e9653cc	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\spoolsv.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

Drops file in Windows directory 8 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

description	ioc	Process
File created	C:\Windows\L2Schemas\42af1c969fbb7b	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\RCXC22F.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Windows\L2Schemas\RCXCABB.tmp	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File opened for modification	C:\Windows\L2Schemas\audiodg.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\c5b4cb5e9653cc	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
File created	C:\Windows\L2Schemas\audiodg.exe	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2728	schtasks.exe
2636	schtasks.exe
1308	schtasks.exe
2892	schtasks.exe
2992	schtasks.exe
2752	schtasks.exe
1344	schtasks.exe
1732	schtasks.exe
2820	schtasks.exe
596	schtasks.exe
1272	schtasks.exe
700	schtasks.exe
1440	schtasks.exe
928	schtasks.exe
2804	schtasks.exe
2732	schtasks.exe
2684	schtasks.exe
2360	schtasks.exe
2760	schtasks.exe
2680	schtasks.exe
1964	schtasks.exe
1156	schtasks.exe
2944	schtasks.exe
2928	schtasks.exe
1876	schtasks.exe
824	schtasks.exe
2872	schtasks.exe
2868	schtasks.exe
2712	schtasks.exe
2600	schtasks.exe
2716	schtasks.exe
2572	schtasks.exe
772	schtasks.exe
900	schtasks.exe
2372	schtasks.exe
1632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid	Process
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
600	powershell.exe
2268	powershell.exe
1584	powershell.exe
372	powershell.exe
1820	powershell.exe
2240	powershell.exe
1816	powershell.exe
2456	powershell.exe
2484	powershell.exe
1608	powershell.exe
784	powershell.exe
1692	powershell.exe
2836	audiodg.exe
1092	audiodg.exe
2380	audiodg.exe
1204	audiodg.exe
2728	audiodg.exe
2084	audiodg.exe
2648	audiodg.exe
676	audiodg.exe
2520	audiodg.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2836	audiodg.exe
Token: SeDebugPrivilege	1092	audiodg.exe
Token: SeDebugPrivilege	2380	audiodg.exe
Token: SeDebugPrivilege	1204	audiodg.exe
Token: SeDebugPrivilege	2728	audiodg.exe
Token: SeDebugPrivilege	2084	audiodg.exe
Token: SeDebugPrivilege	2648	audiodg.exe
Token: SeDebugPrivilege	676	audiodg.exe
Token: SeDebugPrivilege	2520	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exe

description	pid	Process	procid_target
PID 2168 wrote to memory of 1816	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	68
PID 2168 wrote to memory of 1816	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	68
PID 2168 wrote to memory of 1816	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	68
PID 2168 wrote to memory of 1608	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	69
PID 2168 wrote to memory of 1608	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	69
PID 2168 wrote to memory of 1608	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	69
PID 2168 wrote to memory of 1584	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	70
PID 2168 wrote to memory of 1584	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	70
PID 2168 wrote to memory of 1584	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	70
PID 2168 wrote to memory of 600	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	71
PID 2168 wrote to memory of 600	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	71
PID 2168 wrote to memory of 600	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	71
PID 2168 wrote to memory of 1692	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	72
PID 2168 wrote to memory of 1692	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	72
PID 2168 wrote to memory of 1692	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	72
PID 2168 wrote to memory of 784	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	73
PID 2168 wrote to memory of 784	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	73
PID 2168 wrote to memory of 784	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	73
PID 2168 wrote to memory of 1820	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	74
PID 2168 wrote to memory of 1820	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	74
PID 2168 wrote to memory of 1820	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	74
PID 2168 wrote to memory of 2268	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	75
PID 2168 wrote to memory of 2268	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	75
PID 2168 wrote to memory of 2268	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	75
PID 2168 wrote to memory of 2456	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	76
PID 2168 wrote to memory of 2456	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	76
PID 2168 wrote to memory of 2456	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	76
PID 2168 wrote to memory of 2484	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	77
PID 2168 wrote to memory of 2484	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	77
PID 2168 wrote to memory of 2484	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	77
PID 2168 wrote to memory of 372	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	78
PID 2168 wrote to memory of 372	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	78
PID 2168 wrote to memory of 372	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	78
PID 2168 wrote to memory of 2240	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	79
PID 2168 wrote to memory of 2240	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	79
PID 2168 wrote to memory of 2240	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	79
PID 2168 wrote to memory of 2836	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	92
PID 2168 wrote to memory of 2836	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	92
PID 2168 wrote to memory of 2836	2168	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe	92
PID 2836 wrote to memory of 1140	2836	audiodg.exe	93
PID 2836 wrote to memory of 1140	2836	audiodg.exe	93
PID 2836 wrote to memory of 1140	2836	audiodg.exe	93
PID 2836 wrote to memory of 1312	2836	audiodg.exe	94
PID 2836 wrote to memory of 1312	2836	audiodg.exe	94
PID 2836 wrote to memory of 1312	2836	audiodg.exe	94
PID 1140 wrote to memory of 1092	1140	WScript.exe	95
PID 1140 wrote to memory of 1092	1140	WScript.exe	95
PID 1140 wrote to memory of 1092	1140	WScript.exe	95
PID 1092 wrote to memory of 308	1092	audiodg.exe	96
PID 1092 wrote to memory of 308	1092	audiodg.exe	96
PID 1092 wrote to memory of 308	1092	audiodg.exe	96
PID 1092 wrote to memory of 2132	1092	audiodg.exe	97
PID 1092 wrote to memory of 2132	1092	audiodg.exe	97
PID 1092 wrote to memory of 2132	1092	audiodg.exe	97
PID 308 wrote to memory of 2380	308	WScript.exe	98
PID 308 wrote to memory of 2380	308	WScript.exe	98
PID 308 wrote to memory of 2380	308	WScript.exe	98
PID 2380 wrote to memory of 2880	2380	audiodg.exe	99
PID 2380 wrote to memory of 2880	2380	audiodg.exe	99
PID 2380 wrote to memory of 2880	2380	audiodg.exe	99
PID 2380 wrote to memory of 824	2380	audiodg.exe	100
PID 2380 wrote to memory of 824	2380	audiodg.exe	100
PID 2380 wrote to memory of 824	2380	audiodg.exe	100
PID 2880 wrote to memory of 1204	2880	WScript.exe	101

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exeaudiodg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe
"C:\Users\Admin\AppData\Local\Temp\8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\L2Schemas\audiodg.exe
  "C:\Windows\L2Schemas\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b4b58c4-988b-456e-84ac-0f8ff763d56e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\L2Schemas\audiodg.exe
      C:\Windows\L2Schemas\audiodg.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1092
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f86d2b4-c5e2-4bfb-9766-a40664767020.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:308
      - C:\Windows\L2Schemas\audiodg.exe
        
        C:\Windows\L2Schemas\audiodg.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\234ce217-d68a-441f-a3f9-335b0d610ff4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\L2Schemas\audiodg.exe
        
        C:\Windows\L2Schemas\audiodg.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\862a188b-3ebc-4c7c-ae44-8836b8a62f8d.vbs"
        9⤵
        
        PID:2088
        
        C:\Windows\L2Schemas\audiodg.exe
        
        C:\Windows\L2Schemas\audiodg.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dec53f6a-19a8-4cfc-8992-ffe4bb49f9ca.vbs"
        11⤵
        
        PID:1936
        
        C:\Windows\L2Schemas\audiodg.exe
        
        C:\Windows\L2Schemas\audiodg.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\748234f2-0999-4f7e-8e60-49ece051c1fd.vbs"
        13⤵
        
        PID:1028
        
        C:\Windows\L2Schemas\audiodg.exe
        
        C:\Windows\L2Schemas\audiodg.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d7fa4c8-cfbe-4bdd-ad3f-6f2f23eaaeb3.vbs"
        15⤵
        
        PID:900
        
        C:\Windows\L2Schemas\audiodg.exe
        
        C:\Windows\L2Schemas\audiodg.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3387a7d-a6a1-471b-a959-ce0d1c364d4e.vbs"
        17⤵
        
        PID:2632
        
        C:\Windows\L2Schemas\audiodg.exe
        
        C:\Windows\L2Schemas\audiodg.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d25ed37e-e109-45d8-a89d-0687604ad104.vbs"
        19⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5c02722-9801-4225-894c-62d2b9ccc4cc.vbs"
        19⤵
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ea224fe-296d-4f3c-b034-5c2adf2c232a.vbs"
        17⤵
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\348570e2-a46c-4427-8117-3b3a15c2643a.vbs"
        15⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86d6111f-598d-4756-86ea-14b582caf9f3.vbs"
        13⤵
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ea7f295-4c41-407c-a6a5-084a9f851ab0.vbs"
        11⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\536c1165-f902-4655-9f71-2c75510b543b.vbs"
        9⤵
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0f5ac02-c182-4858-acee-d6d48023309b.vbs"
        7⤵
        
        PID:824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bd0fadf-b317-4b30-b5d7-6188cd64dda4.vbs"
        5⤵
        
        PID:2132
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ae09bb-f8a4-4034-815c-d49bb8cfff2f.vbs"
    3⤵
    PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Pictures\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\L2Schemas\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
4.9MB

MD5
c62cd7e55437ae4873f4cc2e98d87ccb

SHA1
99a5dc009e586ebb83f324c03f1729dad34ee031

SHA256
8c84d9701048f57f131151b58294d2884c850fccfc5b1200b2d783a8f0ca4a77

SHA512
497d6ed88c05e7b689f2fd8a00c92a652fd1f31edacf0b69edef0adb2f250509a1aee00beb4d6496021dd4aeb1b015b63ad6c70a5bf76466fd4104d1ee17754c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b4b58c4-988b-456e-84ac-0f8ff763d56e.vbs

Filesize
708B

MD5
0947245c815329c246108fb5bc666047

SHA1
8d6ee274d891cfa3fc2ed29dd8b3472358a65d73

SHA256
4e39cd25a69ac22b50a387368c19baa8e36ac4b7f7218d52f3621d29cd50fe6b

SHA512
556d1d43dec1ed13915bc09abc22d35841115bc8e45155dfbce8a284af6451dfbc427216861a9f3d35675def09803859c6c513a955107c94dd5a9ba07e454fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\11ae09bb-f8a4-4034-815c-d49bb8cfff2f.vbs

Filesize
484B

MD5
96fc3a082b8abb144a2b9058e7061ac2

SHA1
9ee61c63ad14b74e5bbdf9fe781b71636d276631

SHA256
3b98b64145c0713ab324bbc626626f4e1e4ea9927e112d0a124e71d36640689f

SHA512
6f6a37d593fbc02591b1e777531b9c5d5cf4bfb3307da87482702c67c0ae2a45a5f9995e0aa8557bcb814c3a0b17e2682b107cb1b5cb68d8640646aba9af60d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\234ce217-d68a-441f-a3f9-335b0d610ff4.vbs

Filesize
708B

MD5
25b0cf1783c27da5f4566dc06ecd612e

SHA1
553af6818dde4fbd06b878073ea9975728c97701

SHA256
ba780f6be00309cb829e4b7044c651cac56fc90c3cc6ea3d8d2fcc4b768bf5b0

SHA512
059f397fd7a4dd75be72df06a6f0fa537ea9892c31e4f067e717ff393901475799529f1acb984d6e16f0a3ba45577f30ff8765fae6edf426541b506d318359a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\748234f2-0999-4f7e-8e60-49ece051c1fd.vbs

Filesize
708B

MD5
da1011a07e0661e2af73b6a003a1b390

SHA1
0d30c3c584e6a64be977259886f63051515d25b9

SHA256
5f660d53e2e19df2fc6e0e5cc231c7d032cf34e5fa8b44e78c3832a35c874eec

SHA512
f30deb8b72a6f4812ab49ec89b0c5875d3249fd1b6b512b1d400427804cd6fc664410c457733544f7b36261ec544c8d012eb93ba50e7ab872af32a46f168a7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\862a188b-3ebc-4c7c-ae44-8836b8a62f8d.vbs

Filesize
708B

MD5
f16e12f4c38a8ca657d10e9e9bc6b092

SHA1
ae5bd84c99bea094f05f2da96a3d9957692ec87a

SHA256
f32105743a2439132dee81bdb94c102ebc82e87a34fef55422144c2feb45c447

SHA512
f538e1e2f94491c81c79826e702faf579ee5fc4fb9dc069a4f793c6fa2d01650df84a732a8c9b51ff2e915ae64ee1309c97eb1745e440f05a80ee094a5a6b2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d7fa4c8-cfbe-4bdd-ad3f-6f2f23eaaeb3.vbs

Filesize
708B

MD5
810dafb0fa9783160e5cf7605fd5dbc4

SHA1
c038150c2cb3071d9774eee31e26c280c8d601c1

SHA256
91b07657ba5ccef807e44546154fd5713795d6e5c8fb3687e4f1495c5168576a

SHA512
5243fa568714045955757c11a2222e6c29f9497ca3995d8dbcedc66f70ced1b9910be4b02aa857008d4d7f572200b499d96e60d49739aad49ae2f93e164bc456

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f86d2b4-c5e2-4bfb-9766-a40664767020.vbs

Filesize
708B

MD5
10625b57677075a85f543f1964c51464

SHA1
7d43bef13766c86761c0ab14a475e0a89c9aa572

SHA256
a1cb62ad7fe8df725a1468b1738b9f5cac21b626d6026a26b9b7251c53c20b06

SHA512
59b68951d03bbfef75fc6fbfe8c5de0cfe34c58048072a2385fb93fd830ab979ea0e27fd49412156415ce9c52d204410d5aa61273e3b51b6548a9e40e4a711b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3387a7d-a6a1-471b-a959-ce0d1c364d4e.vbs

Filesize
707B

MD5
bdcbd46eeabc52ccfc3ab336251f3f6f

SHA1
e2b12a2df5b78dbaa17814f5a678ae5eb917f78b

SHA256
1ac90af36b45e84cece2ab91bae33ae880ee3cf57fd25339429cc00ca8380a4e

SHA512
f4e1a6c37aba8490a8637a5325ce813e31ae33d6ef9aca4196cc7be0acc70ad580a6e2cddb229147e9b93cedb2100b98a0ab388333ec7080cd8c1365f32ecb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\d25ed37e-e109-45d8-a89d-0687604ad104.vbs

Filesize
708B

MD5
58128bc79e41ab1bc64891e4c1ad6d35

SHA1
4a643f37a69b0447227bbab1e20dee03921c81fc

SHA256
5a5c17190fe9dae19368b2abe6c4c54d4516b7cb59447e2b15e202add4e78df0

SHA512
83fdf799f884573110cd13325077b4ad65e0826ff10b75f4a962b9d26fd916dba21a5cfad96de9c84695fb118fbd97116a17e51edb3ba855fa48fda9100c0a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\dec53f6a-19a8-4cfc-8992-ffe4bb49f9ca.vbs

Filesize
708B

MD5
c3a985f83519b04ec7f30831141367bf

SHA1
091d358fd301995d6780828fb2eedfa7dd3d8c26

SHA256
ef17850c95a0a7c9b780bfb2d2dbad84349e4de12c78b6538e86eae16c1f707d

SHA512
95a4f1cc7af48a98cf249fd63c6f9999e08eaa9447ec7a6e68a7660ae4622daaefe22908e4ff168a72882d179ee90b455f7caf31f2e76e794d05d33ce5f590e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE12B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
855b2cf84dd7489e6a45bbae7583fe4f

SHA1
7f639eed91cdd68e3c5aae8d6487856e1bd15510

SHA256
7006edf5f008b0c551d72f5bcf7d3fa5d3f9bd9754ca95215311d5d6f575581a

SHA512
95792df83bcd75a4caf241a38f2fd8a9fee3b121bf08da0d08701a97641fb9790b05f9386eb15712afff79b6f8a64c3e5d4a5c48d80fd5028936f50381b61f8c

Download Submit
memory/600-151-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/600-147-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/676-290-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/1092-202-0x0000000000BB0000-0x00000000010A4000-memory.dmp

Filesize
5.0MB

Download
memory/2084-261-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/2168-10-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/2168-9-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2168-159-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-1-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/2168-16-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/2168-14-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2168-13-0x0000000002580000-0x000000000258E000-memory.dmp

Filesize
56KB

Download
memory/2168-12-0x0000000002570000-0x000000000257E000-memory.dmp

Filesize
56KB

Download
memory/2168-11-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/2168-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2168-2-0x000000001B400000-0x000000001B52E000-memory.dmp

Filesize
1.2MB

Download
memory/2168-15-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2168-8-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/2168-3-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-7-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2168-6-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2168-5-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2168-4-0x0000000000900000-0x000000000091C000-memory.dmp

Filesize
112KB

Download
memory/2380-217-0x0000000001150000-0x0000000001644000-memory.dmp

Filesize
5.0MB

Download
memory/2520-305-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/2728-246-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/2836-153-0x0000000000010000-0x0000000000504000-memory.dmp

Filesize
5.0MB

Download