dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
139s
max time network
158s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff5eef1816b5037715c6da38464a8a3f.exe
Size

1.1MB
MD5

ff5eef1816b5037715c6da38464a8a3f
SHA1

ba123a98299528f73ad8cbfa234d3fd9a78c47f5
SHA256

66495902f22ee35be8d28b76ed4bee1a60e9b39bbddba2118e8dcac14ed24104
SHA512

daa099d8a747e563a7371500abba63f9c1746eb6916d233949b20e99ab11408caac85e49638e3f5d14757180c53477ec1d9bf99f99d99636c17aa819d62d802c
SSDEEP

12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\audiodg.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\audiodg.exe\", \"C:\\Documents and Settings\\Idle.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\audiodg.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937\\ff5eef1816b5037715c6da38464a8a3f.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2672	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1052	powershell.exe
2936	powershell.exe
2312	powershell.exe
2680	powershell.exe
520	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ff5eef1816b5037715c6da38464a8a3f.exe

Executes dropped EXE 11 IoCs

pid	Process
1908	audiodg.exe
556	audiodg.exe
2656	audiodg.exe
2500	audiodg.exe
572	audiodg.exe
2244	audiodg.exe
324	audiodg.exe
2664	audiodg.exe
1048	audiodg.exe
2512	audiodg.exe
1116	audiodg.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ff5eef1816b5037715c6da38464a8a3f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937\\ff5eef1816b5037715c6da38464a8a3f.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ff5eef1816b5037715c6da38464a8a3f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937\\ff5eef1816b5037715c6da38464a8a3f.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\audiodg.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\audiodg.exe\""	ff5eef1816b5037715c6da38464a8a3f.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ff5eef1816b5037715c6da38464a8a3f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe	ff5eef1816b5037715c6da38464a8a3f.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\42af1c969fbb7b	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCX6CD9.tmp	ff5eef1816b5037715c6da38464a8a3f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe	ff5eef1816b5037715c6da38464a8a3f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2324	schtasks.exe
1252	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2312	powershell.exe
2484	ff5eef1816b5037715c6da38464a8a3f.exe
2936	powershell.exe
2680	powershell.exe
520	powershell.exe
1052	powershell.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe
1908	audiodg.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	ff5eef1816b5037715c6da38464a8a3f.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	1908	audiodg.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	556	audiodg.exe
Token: SeDebugPrivilege	2656	audiodg.exe
Token: SeDebugPrivilege	2500	audiodg.exe
Token: SeDebugPrivilege	572	audiodg.exe
Token: SeDebugPrivilege	2244	audiodg.exe
Token: SeDebugPrivilege	324	audiodg.exe
Token: SeDebugPrivilege	2664	audiodg.exe
Token: SeDebugPrivilege	1048	audiodg.exe
Token: SeDebugPrivilege	2512	audiodg.exe
Token: SeDebugPrivilege	1116	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2312	2484	ff5eef1816b5037715c6da38464a8a3f.exe	35
PID 2484 wrote to memory of 2312	2484	ff5eef1816b5037715c6da38464a8a3f.exe	35
PID 2484 wrote to memory of 2312	2484	ff5eef1816b5037715c6da38464a8a3f.exe	35
PID 2484 wrote to memory of 2936	2484	ff5eef1816b5037715c6da38464a8a3f.exe	36
PID 2484 wrote to memory of 2936	2484	ff5eef1816b5037715c6da38464a8a3f.exe	36
PID 2484 wrote to memory of 2936	2484	ff5eef1816b5037715c6da38464a8a3f.exe	36
PID 2484 wrote to memory of 1052	2484	ff5eef1816b5037715c6da38464a8a3f.exe	37
PID 2484 wrote to memory of 1052	2484	ff5eef1816b5037715c6da38464a8a3f.exe	37
PID 2484 wrote to memory of 1052	2484	ff5eef1816b5037715c6da38464a8a3f.exe	37
PID 2484 wrote to memory of 520	2484	ff5eef1816b5037715c6da38464a8a3f.exe	38
PID 2484 wrote to memory of 520	2484	ff5eef1816b5037715c6da38464a8a3f.exe	38
PID 2484 wrote to memory of 520	2484	ff5eef1816b5037715c6da38464a8a3f.exe	38
PID 2484 wrote to memory of 2680	2484	ff5eef1816b5037715c6da38464a8a3f.exe	39
PID 2484 wrote to memory of 2680	2484	ff5eef1816b5037715c6da38464a8a3f.exe	39
PID 2484 wrote to memory of 2680	2484	ff5eef1816b5037715c6da38464a8a3f.exe	39
PID 2484 wrote to memory of 1908	2484	ff5eef1816b5037715c6da38464a8a3f.exe	45
PID 2484 wrote to memory of 1908	2484	ff5eef1816b5037715c6da38464a8a3f.exe	45
PID 2484 wrote to memory of 1908	2484	ff5eef1816b5037715c6da38464a8a3f.exe	45
PID 1908 wrote to memory of 2168	1908	audiodg.exe	46
PID 1908 wrote to memory of 2168	1908	audiodg.exe	46
PID 1908 wrote to memory of 2168	1908	audiodg.exe	46
PID 1908 wrote to memory of 1476	1908	audiodg.exe	47
PID 1908 wrote to memory of 1476	1908	audiodg.exe	47
PID 1908 wrote to memory of 1476	1908	audiodg.exe	47
PID 2168 wrote to memory of 556	2168	WScript.exe	48
PID 2168 wrote to memory of 556	2168	WScript.exe	48
PID 2168 wrote to memory of 556	2168	WScript.exe	48
PID 556 wrote to memory of 1732	556	audiodg.exe	49
PID 556 wrote to memory of 1732	556	audiodg.exe	49
PID 556 wrote to memory of 1732	556	audiodg.exe	49
PID 556 wrote to memory of 1940	556	audiodg.exe	50
PID 556 wrote to memory of 1940	556	audiodg.exe	50
PID 556 wrote to memory of 1940	556	audiodg.exe	50
PID 1732 wrote to memory of 2656	1732	WScript.exe	51
PID 1732 wrote to memory of 2656	1732	WScript.exe	51
PID 1732 wrote to memory of 2656	1732	WScript.exe	51
PID 2656 wrote to memory of 2276	2656	audiodg.exe	52
PID 2656 wrote to memory of 2276	2656	audiodg.exe	52
PID 2656 wrote to memory of 2276	2656	audiodg.exe	52
PID 2656 wrote to memory of 3016	2656	audiodg.exe	53
PID 2656 wrote to memory of 3016	2656	audiodg.exe	53
PID 2656 wrote to memory of 3016	2656	audiodg.exe	53
PID 2276 wrote to memory of 2500	2276	WScript.exe	54
PID 2276 wrote to memory of 2500	2276	WScript.exe	54
PID 2276 wrote to memory of 2500	2276	WScript.exe	54
PID 2500 wrote to memory of 2512	2500	audiodg.exe	55
PID 2500 wrote to memory of 2512	2500	audiodg.exe	55
PID 2500 wrote to memory of 2512	2500	audiodg.exe	55
PID 2500 wrote to memory of 820	2500	audiodg.exe	56
PID 2500 wrote to memory of 820	2500	audiodg.exe	56
PID 2500 wrote to memory of 820	2500	audiodg.exe	56
PID 2512 wrote to memory of 572	2512	WScript.exe	57
PID 2512 wrote to memory of 572	2512	WScript.exe	57
PID 2512 wrote to memory of 572	2512	WScript.exe	57
PID 572 wrote to memory of 2012	572	audiodg.exe	58
PID 572 wrote to memory of 2012	572	audiodg.exe	58
PID 572 wrote to memory of 2012	572	audiodg.exe	58
PID 572 wrote to memory of 2104	572	audiodg.exe	59
PID 572 wrote to memory of 2104	572	audiodg.exe	59
PID 572 wrote to memory of 2104	572	audiodg.exe	59
PID 2012 wrote to memory of 2244	2012	WScript.exe	61
PID 2012 wrote to memory of 2244	2012	WScript.exe	61
PID 2012 wrote to memory of 2244	2012	WScript.exe	61
PID 2244 wrote to memory of 1992	2244	audiodg.exe	62

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff5eef1816b5037715c6da38464a8a3f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe
"C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937\ff5eef1816b5037715c6da38464a8a3f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
  "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\def2fd03-a2ff-4c8e-be9c-767ff5059b5c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
      "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d50787-4727-486b-8c8b-b7a2fdbfc4c2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90829c2f-a4d1-4e54-b288-b23bf85e9ba9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eb6f784-f62a-4363-b821-21e1dd1b3b88.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6562bbc4-1224-4199-9101-53fd3aea6c03.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcf9f4aa-246f-41e4-babb-eb16d811e827.vbs"
        13⤵
        
        PID:1992
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caebbcba-e84d-43c9-8b91-8f3b9a3e16b3.vbs"
        15⤵
        
        PID:2324
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b1b5d0c-777a-481d-9c4f-f9562b7132a4.vbs"
        17⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d090ea2c-7896-47bc-a4a2-bff781df7ee1.vbs"
        19⤵
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9787b59-d4e0-4354-bc0a-aba9605c6188.vbs"
        21⤵
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a21cec3-9d7d-410e-b90d-5b5a8ca18c6c.vbs"
        23⤵
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e050a51-0290-4072-bb54-3b16462523d5.vbs"
        23⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c534fb63-500b-4200-a4ab-db8c90101c2f.vbs"
        21⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e850c51-11f9-48e2-8814-8102b3246be0.vbs"
        19⤵
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30ad6b1c-fcf8-4b73-9ecd-d93363dd9d9e.vbs"
        17⤵
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5b7d03f-ce65-46d9-8ca2-496fe75c076c.vbs"
        15⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac288822-d5fa-4ab1-9af5-95dcb03899bf.vbs"
        13⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6361b27-070f-47f8-951a-15799bbb0897.vbs"
        11⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f6ea4f-febc-4ef0-9682-fd5c5008b6f4.vbs"
        9⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c6f4a60-26ff-41d0-a1a1-857b36971ed3.vbs"
        7⤵
        
        PID:3016
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5627b044-b64b-4b22-9f04-af0744a22952.vbs"
        5⤵
        
        PID:1940
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\827ac3d0-2958-4b9d-937a-178047459e85.vbs"
    3⤵
    PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ff5eef1816b5037715c6da38464a8a3f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937\ff5eef1816b5037715c6da38464a8a3f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
1.1MB

MD5
ff5eef1816b5037715c6da38464a8a3f

SHA1
ba123a98299528f73ad8cbfa234d3fd9a78c47f5

SHA256
66495902f22ee35be8d28b76ed4bee1a60e9b39bbddba2118e8dcac14ed24104

SHA512
daa099d8a747e563a7371500abba63f9c1746eb6916d233949b20e99ab11408caac85e49638e3f5d14757180c53477ec1d9bf99f99d99636c17aa819d62d802c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0eb6f784-f62a-4363-b821-21e1dd1b3b88.vbs

Filesize
753B

MD5
b54259426511e0aaf70818326588795b

SHA1
6039d369a2c472751fd172e0213e24fd14dc70ac

SHA256
b387623b393d2ca9034bbc3baca69528e78dbb61d0cbb2b6f8cf7e9d0c9cf36f

SHA512
552a2053746792c75b75728270bacb71c6796eea8c8689aba9fd26af7e8ff5ba1576020e449b3203afc0cc92af5baa8e141c5daeed9a8a46e1f9e73f60dea44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a21cec3-9d7d-410e-b90d-5b5a8ca18c6c.vbs

Filesize
753B

MD5
9eac0e4420c60b553bd14f564b17f1aa

SHA1
aea8f961ac21584ff67fe99ebedaed6275d116af

SHA256
97371f86e131e84b353963d5394c29195fc59cacf9fb8f7e59949a798018dbfb

SHA512
7e4abda426b4f1bf2bf75f869b27ef2c517847dfa840f7769aac37d1933d4d0ef286bb37bbf72e1f1db2608c3728dc957ef04c4493a97d9701fe19cfb0910c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6562bbc4-1224-4199-9101-53fd3aea6c03.vbs

Filesize
752B

MD5
46a36aa77f0246970b43f7fec664412d

SHA1
8c31eca79260c9b24c07a62798801f0137807f0e

SHA256
9f6c3a6944ed37210bc4ad883d9093ef47bb7618f73ccf9a3f102d0c2e1cbc74

SHA512
07889cfd6fcfa841bad343fe1223ec482572f99fe6dc36287640f3070f4aadfa0344f17934c42c889c035fe8eda2c1f45faa12f580a661f7095dadb576dd838b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b1b5d0c-777a-481d-9c4f-f9562b7132a4.vbs

Filesize
753B

MD5
9688241257450422aee1e9cea9c78018

SHA1
b8e29e385595a2f82f74a87d34081c5c644ec895

SHA256
cd3aa476832a55c9fb6ef68d5b9801d5d6a710cb48b6ad0727dcb1a91f7c3a1d

SHA512
a41f56313d3cd33905ba40aba8544c76852276d67f2675566d00a2b0f809de69c7fe09bf47c3f3a3d28b7b937a74d3aa48599bd956f805f3df5086db03f45469

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d50787-4727-486b-8c8b-b7a2fdbfc4c2.vbs

Filesize
752B

MD5
4926c762b7869b4c48fecce8674e47ef

SHA1
cafda7516dc41fadfc59b27020e6cd901e0f8323

SHA256
42f4eb69f64a032fd55d9a96f21a25a7fda5b430ff80c3db8c751ca74cad4b5a

SHA512
f206227b42914b4567a34311e2876cf360ceb2657fcd93dc13e3f87ed7d80af0296d50da384a6c9cbf04a8a51aef1cbf924d2f323d053f4600dd898db4b7f58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\827ac3d0-2958-4b9d-937a-178047459e85.vbs

Filesize
529B

MD5
69bbeb41b7ebb21accdd3a89852d8b0d

SHA1
91554d56750f4b053b2e759f939271cbd6f31eb9

SHA256
cb2b5b055f88902b6b7852c93cb7f789dae05cd348aa28284756b60117ecfac8

SHA512
348b0e594cc03b75ed568a2dda11e50105c163f5790848aaa8a5cdb71bc3692a5e6c136cdc86927e3b20a41ae82a309dcf9e90514a88bd1fee8874b4bac6872d

Download Submit
C:\Users\Admin\AppData\Local\Temp\90829c2f-a4d1-4e54-b288-b23bf85e9ba9.vbs

Filesize
753B

MD5
8855e3d6217afb895d07f3d5abc05e43

SHA1
6b84b1484d8b45005d537d358ecfab70c839a37c

SHA256
d5e7e6329f11bc2be4a4919af4fdc44b72ee38acd5f0611603f41db26bcc9591

SHA512
5fbf9ce80641f516cb4f6e4471cd59dbd7858d93d2b10dc0de3fb9cb9ee299ab3254a21d9d941566bedb8e051adaa676c3806d906e21f991a10d9c3325cfb08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcf9f4aa-246f-41e4-babb-eb16d811e827.vbs

Filesize
753B

MD5
535e7173eb64249bf74b7edb5c3d1d47

SHA1
4f538f0b0bf2714526c742d9ba2ef8d0323c9073

SHA256
c2d17d1e7818739ade0ef5a60fd27461d64acd0561c78cb528ba837089976351

SHA512
af05f197cb76d69703bbe272de383f542fc2f1e794a685760c10f83be98a50da6035cb90eb5d7b567651b411e1614353b276fc513eed2a1dff913b85aba82b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\caebbcba-e84d-43c9-8b91-8f3b9a3e16b3.vbs

Filesize
752B

MD5
e7092d3b2493d028e161df25432846a7

SHA1
e76ef2ba1e4d3e858a2246b35d1d99e06f341102

SHA256
bd7cc74e74efb6a344295363b491e0cc936053e1b3ed1f42affce9909db00593

SHA512
03ac2c2430fbf9e7425239e6f259e5dadef78da01370326622d956542f7e2d7edb0aa2a10a68ae85f48b5dd4e3cc75f6f009e8b415f54057312a17db052fd10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d090ea2c-7896-47bc-a4a2-bff781df7ee1.vbs

Filesize
753B

MD5
e1d92446dd787852801ce21160dc23c6

SHA1
8a66b3264bc3f93eeb88c9797305aea691e768c9

SHA256
68fc282b0a4014044be042687c62b6727cb2d96b043f373c6c4f4c50db29174b

SHA512
8be48531bd2541a98bca912b1e73798e1f4f1ed80a0fdbfa83a1473de773cd3467fb54ef16d47ef84373fab11997b5a524ade1fc862e25fcae3b16fb85a872bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\def2fd03-a2ff-4c8e-be9c-767ff5059b5c.vbs

Filesize
753B

MD5
79362e88b52de89b651fc094735964b8

SHA1
54b798740438cdfadbb8808c66428cc28d515a34

SHA256
5cd1d3fe516df5509a9d1ca121aa3dd272f0962d35d262f8496c6ce0c048c58d

SHA512
04e232217deb18471d568226e8feec138e5014ec0cdca951f7356a415e46b10f8451b3d5a38c94979503c8605ffbf1cee0db0f3e8027db8095273b29814be7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9787b59-d4e0-4354-bc0a-aba9605c6188.vbs

Filesize
753B

MD5
59e7be39b53ff556975341009ea097ac

SHA1
c384cb5ac81b968b82821bbc75f9f4d7dba25ac9

SHA256
5b2d3cb1a93d733f0da831462de44c4c991ad883e1f81577de337625968f2d15

SHA512
6e10838dc54bd47837875ec5a8d6a40151d83297da806213dd2df684384f1eca30b9c6d1fdbf52b97e7e53aa4983e0a6b78bd1f9053bf2d8a8c0ea027184960b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ac8ff9a9467a59b84c2bd2c361ec9ea4

SHA1
4d17b6492aba77ff9c5409fe328ba48508b9c94f

SHA256
e017b03e99be918f3e462ce66be2f2797f994c50459bb83cc54ba0e75a3ce39a

SHA512
b5e2260aafb6fa3247f820004e5f4fd3774177ee9d45a0ac7bc9330fe222bbc0e55e313bcf4fa590ff763e78b7cd5ac4fd49bcfa72e32c27544c620c96c5d29e

Download Submit
memory/520-93-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/556-116-0x0000000000320000-0x0000000000434000-memory.dmp

Filesize
1.1MB

Download
memory/1116-219-0x0000000000010000-0x0000000000124000-memory.dmp

Filesize
1.1MB

Download
memory/1908-104-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1908-98-0x0000000000F00000-0x0000000001014000-memory.dmp

Filesize
1.1MB

Download
memory/2484-13-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/2484-105-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-24-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-31-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-33-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-37-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-20-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/2484-44-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-52-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-68-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-18-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2484-17-0x0000000002070000-0x000000000207C000-memory.dmp

Filesize
48KB

Download
memory/2484-92-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2484-16-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2484-1-0x0000000000930000-0x0000000000A44000-memory.dmp

Filesize
1.1MB

Download
memory/2484-99-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-15-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/2484-21-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/2484-14-0x0000000001FC0000-0x0000000001FCC000-memory.dmp

Filesize
48KB

Download
memory/2484-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2484-12-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/2484-11-0x0000000001F90000-0x0000000001FA0000-memory.dmp

Filesize
64KB

Download
memory/2484-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-10-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/2484-3-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2484-9-0x0000000001F70000-0x0000000001F7C000-memory.dmp

Filesize
48KB

Download
memory/2484-8-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2484-7-0x0000000001F50000-0x0000000001F5C000-memory.dmp

Filesize
48KB

Download
memory/2484-6-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/2484-5-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/2484-4-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2500-140-0x0000000001250000-0x0000000001364000-memory.dmp

Filesize
1.1MB

Download
memory/2512-207-0x00000000012F0000-0x0000000001404000-memory.dmp

Filesize
1.1MB

Download
memory/2656-128-0x00000000010B0000-0x00000000011C4000-memory.dmp

Filesize
1.1MB

Download
memory/2936-96-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download