Analysis

  • max time kernel
    1800s
  • max time network
    1794s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 14:53

General

  • Target

    RustUpdater.exe

  • Size

    2.3MB

  • MD5

    50d955b49b2a8878cdd683365c83e183

  • SHA1

    9ce5bc5c6d2d71eacdd88fbdd478dd241bb96244

  • SHA256

    528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78

  • SHA512

    6ddb253922211164c8a236e733fa80c596fc68e6a9b3cc79f4d0e60fc7b7c01978633dd84151ca85773a0c906d8e288a34ba5d017fef4e50b094a9d808033fb2

  • SSDEEP

    49152:HYcIk1q0oClfViBnxZgY4PVOZovFNf5qcusO4Dmu657stUQ+h:HY1k1boAfVizZLoRvgcgQmubkh

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 53 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
          "C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4632
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4156
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IfCzEvpyfZ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3112
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3904
              • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                "C:\Windows\GameBarPresenceWriter\taskhostw.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5336
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63fa41b7-b7db-4419-b880-a1de4eedd381.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5452
                  • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                    C:\Windows\GameBarPresenceWriter\taskhostw.exe
                    8⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5776
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\324aaa64-253b-4630-9deb-2e323756ed95.vbs"
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5884
                      • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                        C:\Windows\GameBarPresenceWriter\taskhostw.exe
                        10⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:6004
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3e49963-ac36-4372-8511-21ea35aac71d.vbs"
                          11⤵
                          • Suspicious use of WriteProcessMemory
                          PID:6104
                          • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                            C:\Windows\GameBarPresenceWriter\taskhostw.exe
                            12⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:5232
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbcac25-ead4-4a29-bb13-c7d170f6a895.vbs"
                              13⤵
                              • Suspicious use of WriteProcessMemory
                              PID:5480
                              • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                14⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4228
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e33aa5-0343-406a-aadf-0b8bfc3da359.vbs"
                                  15⤵
                                    PID:3396
                                    • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                      C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                      16⤵
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      PID:6092
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604187ae-7d1b-40fb-9c4b-fd1886608995.vbs"
                                        17⤵
                                          PID:4748
                                          • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                            C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                            18⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            PID:4196
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a24851b3-e699-40de-9ede-9d74651990d8.vbs"
                                              19⤵
                                                PID:2728
                                                • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                  C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                  20⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  PID:5724
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\196e3c15-698c-47ee-b468-4799fc211ef2.vbs"
                                                    21⤵
                                                      PID:5912
                                                      • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                        C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                        22⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        PID:4420
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfeeed01-b196-49e8-b25a-0ecb6b83721c.vbs"
                                                          23⤵
                                                            PID:5956
                                                            • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                              C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                              24⤵
                                                              • Executes dropped EXE
                                                              PID:5248
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb639fa4-316a-48c8-afb8-7e6e2ff989e4.vbs"
                                                                25⤵
                                                                  PID:1840
                                                                  • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                    C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                    26⤵
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    PID:4176
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8677fb49-b85f-4704-a023-06cd34cf5271.vbs"
                                                                      27⤵
                                                                        PID:2784
                                                                        • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                          C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                          28⤵
                                                                          • Executes dropped EXE
                                                                          PID:1188
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c01f9304-5872-4583-96a7-3436bbfc00ce.vbs"
                                                                            29⤵
                                                                              PID:3624
                                                                              • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                30⤵
                                                                                • Executes dropped EXE
                                                                                PID:740
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ccb56d3-f1c9-4f1e-b471-c8b75eb92b4a.vbs"
                                                                                  31⤵
                                                                                    PID:3032
                                                                                    • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                      C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                      32⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:1820
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff7ed01b-cf15-4f16-86d0-d3acd00b8bd1.vbs"
                                                                                        33⤵
                                                                                          PID:4856
                                                                                          • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                            C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                            34⤵
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            PID:5420
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ef3bc5-a3e2-4735-a52b-dd5bcb432125.vbs"
                                                                                              35⤵
                                                                                                PID:5928
                                                                                                • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                  C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                  36⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:5128
                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a04c057-77ad-4fa2-a005-64403bd33aeb.vbs"
                                                                                                    37⤵
                                                                                                      PID:1880
                                                                                                      • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                        C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                        38⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:4220
                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc1301de-41ee-4487-bbd6-fc75b1da41b2.vbs"
                                                                                                          39⤵
                                                                                                            PID:856
                                                                                                            • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                              C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                              40⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Modifies registry class
                                                                                                              PID:3676
                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc1759f4-e15b-466b-b4d2-8290fd85050d.vbs"
                                                                                                                41⤵
                                                                                                                  PID:4176
                                                                                                                  • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                    C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                    42⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:3644
                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b20ff5-59bb-4671-9166-d8d1fdf00445.vbs"
                                                                                                                      43⤵
                                                                                                                        PID:2972
                                                                                                                        • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                          C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                          44⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies registry class
                                                                                                                          PID:4736
                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6b1d09-9e19-48de-a58e-74a831c3d24e.vbs"
                                                                                                                            45⤵
                                                                                                                              PID:3192
                                                                                                                              • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                46⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Modifies registry class
                                                                                                                                PID:4996
                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9a29ea-04c6-43f7-b888-9c7d68741576.vbs"
                                                                                                                                  47⤵
                                                                                                                                    PID:3840
                                                                                                                                    • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                      C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                      48⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:5948
                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6311f32f-100c-4875-9cd7-cf5576beb386.vbs"
                                                                                                                                        49⤵
                                                                                                                                          PID:5216
                                                                                                                                          • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                            C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                            50⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:2464
                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfc780bc-897c-40c2-99ac-6ff950e2a078.vbs"
                                                                                                                                              51⤵
                                                                                                                                                PID:1952
                                                                                                                                                • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                  C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                  52⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:1272
                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3efe1b-4c8f-452b-b7e1-4183dec794e9.vbs"
                                                                                                                                                    53⤵
                                                                                                                                                      PID:5500
                                                                                                                                                      • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                        C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                        54⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:1592
                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b708f3-5618-401b-85be-8b6d6a8052db.vbs"
                                                                                                                                                          55⤵
                                                                                                                                                            PID:1500
                                                                                                                                                            • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                              C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                              56⤵
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:1880
                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdb13599-1004-423a-879a-66bf67b667b9.vbs"
                                                                                                                                                                57⤵
                                                                                                                                                                  PID:3600
                                                                                                                                                                  • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                    C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                    58⤵
                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:4456
                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a30f28-6c91-45d8-bc37-0b90028bd6a9.vbs"
                                                                                                                                                                      59⤵
                                                                                                                                                                        PID:2992
                                                                                                                                                                        • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                          C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                          60⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:1576
                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd0bb3d5-489e-4fa1-a824-b5a7e3295305.vbs"
                                                                                                                                                                            61⤵
                                                                                                                                                                              PID:4684
                                                                                                                                                                              • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                62⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                PID:5212
                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba3b494-2274-436e-87be-47117ac45881.vbs"
                                                                                                                                                                                  63⤵
                                                                                                                                                                                    PID:4704
                                                                                                                                                                                    • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                      C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                      64⤵
                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:3524
                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec318e83-c5d3-4956-8632-b3cf1cc85f21.vbs"
                                                                                                                                                                                        65⤵
                                                                                                                                                                                          PID:3988
                                                                                                                                                                                          • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                            C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                            66⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                            PID:4124
                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ce240b-8bdf-4f2e-bc06-9c5288043dcb.vbs"
                                                                                                                                                                                              67⤵
                                                                                                                                                                                                PID:4392
                                                                                                                                                                                                • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                  C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                  68⤵
                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                  PID:5588
                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa67193c-5380-4caa-8037-c2eac81d3260.vbs"
                                                                                                                                                                                                    69⤵
                                                                                                                                                                                                      PID:5944
                                                                                                                                                                                                      • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                        C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                        70⤵
                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:1348
                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e1785a-63d3-431e-8611-0b46e742ac35.vbs"
                                                                                                                                                                                                          71⤵
                                                                                                                                                                                                            PID:4512
                                                                                                                                                                                                            • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                              C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                              72⤵
                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              PID:5568
                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab326257-dc63-4469-8c88-771f48d3e310.vbs"
                                                                                                                                                                                                                73⤵
                                                                                                                                                                                                                  PID:3112
                                                                                                                                                                                                                  • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                    C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                    74⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:1032
                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba6ef34-916b-4350-ab21-b547f20389e2.vbs"
                                                                                                                                                                                                                      75⤵
                                                                                                                                                                                                                        PID:1500
                                                                                                                                                                                                                        • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                          C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                          76⤵
                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:64
                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e06bd8-e1a7-41d5-bec6-2e91c1d0fb94.vbs"
                                                                                                                                                                                                                            77⤵
                                                                                                                                                                                                                              PID:5920
                                                                                                                                                                                                                              • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                                C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                                78⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:632
                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8baf57e1-1dd4-4807-af10-ec521c1cc55d.vbs"
                                                                                                                                                                                                                              77⤵
                                                                                                                                                                                                                                PID:2288
                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d5c4f6-d9ea-46a2-97a5-788edf21ed15.vbs"
                                                                                                                                                                                                                            75⤵
                                                                                                                                                                                                                              PID:1880
                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2896a0-6369-449f-9a6b-5b6b95a3ecee.vbs"
                                                                                                                                                                                                                          73⤵
                                                                                                                                                                                                                            PID:1300
                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8585bd84-09d3-470e-b86f-6c454ccc99ac.vbs"
                                                                                                                                                                                                                        71⤵
                                                                                                                                                                                                                          PID:400
                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c20f23da-de55-4259-8001-74c7fd445e6b.vbs"
                                                                                                                                                                                                                      69⤵
                                                                                                                                                                                                                        PID:5520
                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b76348a4-968a-47a2-ad8b-f380b5f3dabd.vbs"
                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                      PID:5172
                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69a57f4d-f609-4d6f-8884-dc838807b654.vbs"
                                                                                                                                                                                                                  65⤵
                                                                                                                                                                                                                    PID:5540
                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48a9fc52-54e0-4c6c-b1e9-585a2dc77827.vbs"
                                                                                                                                                                                                                63⤵
                                                                                                                                                                                                                  PID:5564
                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf4fafbf-2aca-42f7-8992-f30a8037132e.vbs"
                                                                                                                                                                                                              61⤵
                                                                                                                                                                                                                PID:5188
                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38fc232c-3fe2-4eab-8780-aaa8945a8b86.vbs"
                                                                                                                                                                                                            59⤵
                                                                                                                                                                                                              PID:4064
                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ded84253-66da-469e-9313-35238548c9c7.vbs"
                                                                                                                                                                                                          57⤵
                                                                                                                                                                                                            PID:1028
                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a7f23ed-1361-49fd-9905-ff4ac6a6f143.vbs"
                                                                                                                                                                                                        55⤵
                                                                                                                                                                                                          PID:5656
                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3414ffe4-34a6-45d8-a8a5-f2a37710edd4.vbs"
                                                                                                                                                                                                      53⤵
                                                                                                                                                                                                        PID:6080
                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb961314-80d8-47c2-9509-421007a1f846.vbs"
                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                      PID:4500
                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500724ef-de1d-46c4-8d9f-03d1869ea2fe.vbs"
                                                                                                                                                                                                  49⤵
                                                                                                                                                                                                    PID:428
                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fa57da-7a59-4729-8f33-40e629e84dae.vbs"
                                                                                                                                                                                                47⤵
                                                                                                                                                                                                  PID:672
                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcb300af-2837-401d-a805-fab0b78f7289.vbs"
                                                                                                                                                                                              45⤵
                                                                                                                                                                                                PID:4524
                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de0777e8-de5c-4a5a-820c-f77d450f8bef.vbs"
                                                                                                                                                                                            43⤵
                                                                                                                                                                                              PID:6108
                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a61da8b2-d98b-49ec-9976-f904c74685c9.vbs"
                                                                                                                                                                                          41⤵
                                                                                                                                                                                            PID:2452
                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e32a1dfe-246a-4786-8770-2f4086624e9f.vbs"
                                                                                                                                                                                        39⤵
                                                                                                                                                                                          PID:832
                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a659914-903e-4d56-9e6b-7f8fd331ae3b.vbs"
                                                                                                                                                                                      37⤵
                                                                                                                                                                                        PID:5572
                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d7e304-6b7f-4ace-a12e-fc8d3fbb15ae.vbs"
                                                                                                                                                                                    35⤵
                                                                                                                                                                                      PID:5428
                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa07c047-e0ea-4835-a6f2-e8fbaf7eb160.vbs"
                                                                                                                                                                                  33⤵
                                                                                                                                                                                    PID:3560
                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b327bec-a45c-456f-b21a-b5efb7666ab0.vbs"
                                                                                                                                                                                31⤵
                                                                                                                                                                                  PID:1964
                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854ecc17-2d45-49d1-b8bd-be9d607135c4.vbs"
                                                                                                                                                                              29⤵
                                                                                                                                                                                PID:5148
                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abe79d75-2ced-4a50-b2d4-f3999691fd46.vbs"
                                                                                                                                                                            27⤵
                                                                                                                                                                              PID:5164
                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bccbb18-0ced-470f-b752-0b885a3a74b8.vbs"
                                                                                                                                                                          25⤵
                                                                                                                                                                            PID:5160
                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9fa7cc0-f8b8-4f7a-8823-1aa21af9d752.vbs"
                                                                                                                                                                        23⤵
                                                                                                                                                                          PID:4900
                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a68f37e-82a4-4ebd-ba6e-5da388a86c4a.vbs"
                                                                                                                                                                      21⤵
                                                                                                                                                                        PID:5804
                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7c333ea-d56d-487d-9024-cffd4f2c3e04.vbs"
                                                                                                                                                                    19⤵
                                                                                                                                                                      PID:5424
                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a324054-0f18-4199-b730-9e7c729199d2.vbs"
                                                                                                                                                                  17⤵
                                                                                                                                                                    PID:4720
                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05ffdb5e-c30b-47b7-82ef-c53d2029d778.vbs"
                                                                                                                                                                15⤵
                                                                                                                                                                  PID:3484
                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85ea9783-fd6d-4bc1-bd8a-92eb8dd0de28.vbs"
                                                                                                                                                              13⤵
                                                                                                                                                                PID:1048
                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10c63abe-eeed-48e1-8824-0096ee44dd9d.vbs"
                                                                                                                                                            11⤵
                                                                                                                                                              PID:3188
                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e1e2ed-bcc0-4c33-8ccf-5cacd4e9e916.vbs"
                                                                                                                                                          9⤵
                                                                                                                                                            PID:5932
                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f747303-1b14-4e1f-ae8c-220b6f67c694.vbs"
                                                                                                                                                        7⤵
                                                                                                                                                          PID:5492
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1956
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2952
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2276
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3408
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3740
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2344
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:5068
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3244
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3508
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\explorer.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2620
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1272
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2544
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\dllhost.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2960
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1692
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1620
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1724
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2068
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4820
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3272
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2204
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2756
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3896
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4904
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4496
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2476
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4972
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4508
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4364
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2836
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1628
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2644
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1420
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1616
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3780
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2656
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1224
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\componentdriver.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3784
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Program Files\Java\componentdriver.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1976
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\componentdriver.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1216
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4592
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3352
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4124
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3144
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2288
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4880
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4776
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4312
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:4176
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:1364
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2604
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /rl HIGHEST /f
                                                                                                                                              1⤵
                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2064
                                                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                              1⤵
                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                              • Checks processor information in registry
                                                                                                                                              • Modifies registry class
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                              PID:3884
                                                                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                              1⤵
                                                                                                                                                PID:5712
                                                                                                                                              • C:\Windows\system32\mmc.exe
                                                                                                                                                "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
                                                                                                                                                1⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                PID:1016
                                                                                                                                              • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                1⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:2952
                                                                                                                                              • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                1⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:2376
                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4f0160-dbeb-452d-ba2d-4178d9abbfd3.vbs"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:3876
                                                                                                                                                    • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                      C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                      3⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:1772
                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\445dc2b1-6e21-421f-8b89-0ff0371cd3f2.vbs"
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2992
                                                                                                                                                  • C:\Program Files\Common Files\dllhost.exe
                                                                                                                                                    "C:\Program Files\Common Files\dllhost.exe"
                                                                                                                                                    1⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:4452
                                                                                                                                                  • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                    C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                    1⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:5364
                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a40a23d-4a35-4eed-b765-b5a9df340ad4.vbs"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:5856
                                                                                                                                                        • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                          C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                          3⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          PID:3052
                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4214bda3-7374-4bb4-8f85-3473086143ce.vbs"
                                                                                                                                                            4⤵
                                                                                                                                                              PID:2464
                                                                                                                                                              • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                5⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:5176
                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24322670-510f-42c4-8bb5-5eab3ba4896a.vbs"
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:5076
                                                                                                                                                                    • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                      C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                      7⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      PID:5084
                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd24ec9-f62c-4ee3-b7d7-c1c13e3b5f53.vbs"
                                                                                                                                                                        8⤵
                                                                                                                                                                          PID:1272
                                                                                                                                                                          • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                            C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                            9⤵
                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:5500
                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92111412-6503-4c0d-9906-3987339a01e9.vbs"
                                                                                                                                                                              10⤵
                                                                                                                                                                                PID:3936
                                                                                                                                                                                • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                  C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                  11⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:4932
                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\368cfc48-2828-416d-a824-e2476bf5cc46.vbs"
                                                                                                                                                                                    12⤵
                                                                                                                                                                                      PID:1492
                                                                                                                                                                                      • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                        C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                        13⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:2976
                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ff94055-eee1-446f-89f7-372268f55323.vbs"
                                                                                                                                                                                          14⤵
                                                                                                                                                                                            PID:644
                                                                                                                                                                                            • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                              C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                              15⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:5288
                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac31ea45-b09c-4534-a9d0-e0e40fe5392a.vbs"
                                                                                                                                                                                                16⤵
                                                                                                                                                                                                  PID:1976
                                                                                                                                                                                                  • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                    C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:2476
                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17eaac80-777a-4c2b-bb81-033d7b177ede.vbs"
                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                    PID:1772
                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17ef77d1-d846-4ecb-99f4-f62b7db131d0.vbs"
                                                                                                                                                                                                14⤵
                                                                                                                                                                                                  PID:2276
                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f335e810-bc1a-42be-85b0-420e92e939d1.vbs"
                                                                                                                                                                                              12⤵
                                                                                                                                                                                                PID:5400
                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c49a69dd-8c67-4aa0-a43c-7adc0b8557c7.vbs"
                                                                                                                                                                                            10⤵
                                                                                                                                                                                              PID:2360
                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d8154e-9d83-4d98-a815-f5d2ea6c094c.vbs"
                                                                                                                                                                                          8⤵
                                                                                                                                                                                            PID:4992
                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec83fb6-2be9-433a-8ec2-22fb5519cdd3.vbs"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:4588
                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\831d5a6e-07f7-419a-a50e-5ba25bbc58f7.vbs"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:5404
                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc04cf55-f50e-456b-93d6-b2ffc3ddf5fa.vbs"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:4652
                                                                                                                                                                                  • C:\Program Files\Windows Defender\sysmon.exe
                                                                                                                                                                                    "C:\Program Files\Windows Defender\sysmon.exe"
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:3396
                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51a989f1-e308-4dff-906d-edfa919e153e.vbs"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:3244
                                                                                                                                                                                        • C:\Program Files\Windows Defender\sysmon.exe
                                                                                                                                                                                          "C:\Program Files\Windows Defender\sysmon.exe"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:2948
                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2e597f-0e9b-4cc1-b46c-9af09d6b1502.vbs"
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:1008
                                                                                                                                                                                      • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                        C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:1916
                                                                                                                                                                                      • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                        "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                        1⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:4880
                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\057702a4-d498-4dc1-95b7-7662b4bf6c82.vbs"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:5460
                                                                                                                                                                                            • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                              "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              PID:228
                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b6f7b0-6e32-420c-a400-49aff09bc138.vbs"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:2872
                                                                                                                                                                                          • C:\Recovery\WindowsRE\RuntimeBroker.exe
                                                                                                                                                                                            C:\Recovery\WindowsRE\RuntimeBroker.exe
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:2428
                                                                                                                                                                                          • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                            "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:6104
                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e62c8938-9ad7-4046-9a79-c8607b4b8d16.vbs"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:3820
                                                                                                                                                                                                • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                  "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  PID:5776
                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79bbd1c5-aee0-4286-9941-007d513491b7.vbs"
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:3648
                                                                                                                                                                                              • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:3416
                                                                                                                                                                                              • C:\Program Files\Reference Assemblies\conhost.exe
                                                                                                                                                                                                "C:\Program Files\Reference Assemblies\conhost.exe"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:5916
                                                                                                                                                                                              • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:5536
                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1318c91-85a0-4351-aa55-08119230c92c.vbs"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:5952
                                                                                                                                                                                                    • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                      "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:824
                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8117e60d-7c23-45b2-a588-8fd87c322360.vbs"
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:5868
                                                                                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:5832
                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c745f54-859c-48fc-a393-4a825fccbe01.vbs"
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                PID:1536
                                                                                                                                                                                                                • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                  "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                    PID:4248
                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6cdf19a-1894-4ad2-82ae-c81c6e64163f.vbs"
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                        PID:4484
                                                                                                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                          PID:5524
                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e329c00-a646-4650-aa5c-b28a2894f1ca.vbs"
                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                              PID:5764
                                                                                                                                                                                                                              • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                  PID:3224
                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c519d48f-cd12-42b1-88f6-631a5cf15220.vbs"
                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                      PID:5176
                                                                                                                                                                                                                                      • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                        "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                        PID:1580
                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c10c2a9-7d63-4565-9894-73eba881c206.vbs"
                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                            PID:4284
                                                                                                                                                                                                                                            • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                              "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                PID:3132
                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\142f0424-15c6-478c-924d-4e6b0c363903.vbs"
                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                    PID:224
                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                      PID:5916
                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\692a3380-5008-43af-b890-d3ff100efb74.vbs"
                                                                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                                                                          PID:2520
                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                            PID:2260
                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a0ea935-263e-4401-8836-8d85086a1a7e.vbs"
                                                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                                                PID:2068
                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                  21⤵
                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                  PID:5068
                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42f1cb09-2267-448a-8010-4809502046fe.vbs"
                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                      PID:2680
                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                        PID:4396
                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc37a1fe-754b-44eb-9b30-fc5075318517.vbs"
                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                            PID:2256
                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                              25⤵
                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                              PID:4144
                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef2bb337-4d40-4b77-885c-70e367ad19eb.vbs"
                                                                                                                                                                                                                                                                                26⤵
                                                                                                                                                                                                                                                                                  PID:5760
                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                    27⤵
                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                    PID:1956
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ba4984-fef8-4050-bb13-e7e39299f754.vbs"
                                                                                                                                                                                                                                                                                      28⤵
                                                                                                                                                                                                                                                                                        PID:4460
                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                          29⤵
                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                          PID:744
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abd383e9-f9ea-42f9-ba17-09ce39389c7a.vbs"
                                                                                                                                                                                                                                                                                            30⤵
                                                                                                                                                                                                                                                                                              PID:5588
                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                                31⤵
                                                                                                                                                                                                                                                                                                  PID:4988
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8be40d4-a2f7-4900-a56e-b5b5d663c002.vbs"
                                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                                      PID:2580
                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                        PID:3120
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f37bac8d-4e2b-425e-b729-cf2dc983c6aa.vbs"
                                                                                                                                                                                                                                                                                                          34⤵
                                                                                                                                                                                                                                                                                                            PID:4676
                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                                              35⤵
                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                              PID:796
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79165b12-2ec4-45c5-ba30-f93d68f80769.vbs"
                                                                                                                                                                                                                                                                                                                36⤵
                                                                                                                                                                                                                                                                                                                  PID:4436
                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                                                    37⤵
                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                    PID:976
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d7366f7-6295-46b8-883a-cfee7377a0cc.vbs"
                                                                                                                                                                                                                                                                                                                      38⤵
                                                                                                                                                                                                                                                                                                                        PID:4736
                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                                                          39⤵
                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                          PID:5036
                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5f796f-d784-4100-9275-afd83c73a291.vbs"
                                                                                                                                                                                                                                                                                                                            40⤵
                                                                                                                                                                                                                                                                                                                              PID:3180
                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                                                                41⤵
                                                                                                                                                                                                                                                                                                                                  PID:5296
                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85188f1d-700d-4016-b9c9-72bd309bd7e5.vbs"
                                                                                                                                                                                                                                                                                                                                40⤵
                                                                                                                                                                                                                                                                                                                                  PID:3468
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2011474-fdec-492a-8fce-bbdc528d84fd.vbs"
                                                                                                                                                                                                                                                                                                                              38⤵
                                                                                                                                                                                                                                                                                                                                PID:468
                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcba4439-57ce-40d6-9284-174a63dc5c4e.vbs"
                                                                                                                                                                                                                                                                                                                            36⤵
                                                                                                                                                                                                                                                                                                                              PID:1696
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30368f87-5b58-4f77-bff4-6993485d297b.vbs"
                                                                                                                                                                                                                                                                                                                          34⤵
                                                                                                                                                                                                                                                                                                                            PID:5916
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dc53452-72e5-44b7-bc9e-c3051c499dcd.vbs"
                                                                                                                                                                                                                                                                                                                        32⤵
                                                                                                                                                                                                                                                                                                                          PID:4284
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df8ec280-3f68-4e8a-a9e9-867b4ddcabb9.vbs"
                                                                                                                                                                                                                                                                                                                      30⤵
                                                                                                                                                                                                                                                                                                                        PID:5360
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449afa59-4634-4de1-992c-784f32edc3dd.vbs"
                                                                                                                                                                                                                                                                                                                    28⤵
                                                                                                                                                                                                                                                                                                                      PID:5592
                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9f38a0-bdc0-4468-8c41-5704e7776c51.vbs"
                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                    PID:1972
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dac9b1e-42c1-43f6-be1c-be4b9db9997c.vbs"
                                                                                                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                                                                                                  PID:3124
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d8f238-3f0b-4d91-8b38-cc3e287b3c76.vbs"
                                                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                                                                PID:4072
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1eaba45-2e26-41e6-ad93-1d5091d648cd.vbs"
                                                                                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                                                                                              PID:1492
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58b2e67a-d6ff-4fe5-bbb8-ed55380cb4f8.vbs"
                                                                                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                                                                                            PID:3016
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a742602f-739b-4808-9d05-13e34cad85cf.vbs"
                                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                                          PID:5108
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ed34b8-5ffa-4b21-bc06-55a4b9405630.vbs"
                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                        PID:4300
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1865d728-2549-454f-b24f-5710438ad28c.vbs"
                                                                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                                                                      PID:3620
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db558666-b7b3-4609-9ab2-a3d5db62bf80.vbs"
                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                    PID:1888
                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cafd109f-ba76-4aa9-9770-b582e3b38de3.vbs"
                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                  PID:3244
                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe128562-0449-4916-84f1-6f516fa78541.vbs"
                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                PID:3464
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65509e5b-b959-4e1c-84fb-6a99e645d62d.vbs"
                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                              PID:1400
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34dcf5c6-0c7c-4b63-9662-0ce2f1c1fcc7.vbs"
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:5228
                                                                                                                                                                                                                                                                                        • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                          C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                            PID:3528
                                                                                                                                                                                                                                                                                          • C:\Program Files\Common Files\dllhost.exe
                                                                                                                                                                                                                                                                                            "C:\Program Files\Common Files\dllhost.exe"
                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                              PID:5464
                                                                                                                                                                                                                                                                                            • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                              C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                              PID:5996
                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e6fe78b-8b5e-4ee8-89a2-c0c9b4a508a0.vbs"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:3748
                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                      PID:4880
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36a6e360-3ed1-48a0-8d7f-446dabc895e5.vbs"
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:3004
                                                                                                                                                                                                                                                                                                  • C:\Users\Default\SendTo\explorer.exe
                                                                                                                                                                                                                                                                                                    C:\Users\Default\SendTo\explorer.exe
                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                      PID:452
                                                                                                                                                                                                                                                                                                    • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                      "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                      PID:4668
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05babe49-1481-44c4-9537-c92b000e38e8.vbs"
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:1580
                                                                                                                                                                                                                                                                                                          • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                            "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                            PID:4664
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b272904e-9bf5-401d-8d1b-087f66f2cfc7.vbs"
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:2112
                                                                                                                                                                                                                                                                                                                • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                  PID:1172
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c70ec69-c6c6-45fd-8599-69b1eab1a84b.vbs"
                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                      PID:4348
                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                        PID:4792
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\537c8b00-295b-417f-88bb-91d257e6fbc7.vbs"
                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                            PID:3036
                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                              PID:6140
                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ab00e74-10fe-46f4-927c-a05e5e55b19a.vbs"
                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                  PID:4312
                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                      PID:5208
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6ba33ca-04bc-48ea-bac5-ca1cd74a2b31.vbs"
                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                          PID:3312
                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                                                                                                              PID:2988
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdd2479-6a8e-450d-ac57-c0186299d054.vbs"
                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1252
                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                                      PID:640
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e86785e0-ec96-4f48-9767-64439efbccc0.vbs"
                                                                                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                                                                                      PID:4456
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec097f6-e1ea-43e0-94dc-bbc2d6116b0e.vbs"
                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                    PID:3840
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b5bd040-4862-4bf2-bffa-4099b2771c24.vbs"
                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                  PID:3264
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5f24c5c-7dea-478b-b2cf-ca800eecbe83.vbs"
                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                PID:1412
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\543671aa-e94e-4ca0-89ae-d215834ff9f0.vbs"
                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                              PID:2952
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4291c968-6381-4e9a-b5a3-81ff7614d460.vbs"
                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                            PID:5696
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4094642-9330-4644-8629-9aca3bea93a5.vbs"
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                          PID:5136
                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Windows Defender\sysmon.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Windows Defender\sysmon.exe"
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                          PID:4896
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                            PID:228
                                                                                                                                                                                                                                                                                                                                          • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                            C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                            PID:4616
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a78d28-f1aa-462e-a330-b424f31259eb.vbs"
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:232
                                                                                                                                                                                                                                                                                                                                                • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2984
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d880d83-f273-4881-80e2-c7d806362fea.vbs"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2772
                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                    PID:924
                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Common Files\dllhost.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Common Files\dllhost.exe"
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                      PID:3048
                                                                                                                                                                                                                                                                                                                                                    • C:\Recovery\WindowsRE\RuntimeBroker.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Recovery\WindowsRE\RuntimeBroker.exe
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3112
                                                                                                                                                                                                                                                                                                                                                      • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                        PID:3192
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cb280db-4467-43c6-ba37-5e2d8247c332.vbs"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:5528
                                                                                                                                                                                                                                                                                                                                                            • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                              PID:3312
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f9600c-5da5-4c05-8692-4e710697144d.vbs"
                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:4932
                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:4692
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08777abf-3d13-4606-8c90-2046dce7d6be.vbs"
                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:5692
                                                                                                                                                                                                                                                                                                                                                                          • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                            PID:2716
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cfa47e7-b41a-472f-87b5-f7b3e49dfe6e.vbs"
                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3408
                                                                                                                                                                                                                                                                                                                                                                                • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                  PID:2664
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dda02311-a2c3-4fdc-9f91-15a31d3d721f.vbs"
                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:212
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                        PID:736
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60cd3c1f-244e-4208-8f75-83dbb7ee39f3.vbs"
                                                                                                                                                                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:3040
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                              PID:4448
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313e1a65-9f27-4447-81e2-807867ec150a.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:4892
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3396
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4157040-0083-4f45-9bad-46dd10c02056.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5880
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a339faa-6ac3-4677-946f-625d26087bd9.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:2176
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c0c8d48-8acd-4808-9eca-7dcad4b4fc9a.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:4752
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7063ae3a-3916-432b-842f-63fb708355c5.vbs"
                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:2280
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee550d42-49ea-4051-8547-2c4ba429ce65.vbs"
                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:5652
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8b8d2f-b948-45e1-ba86-92f8fa81ce8e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:4880
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623f17cc-9c17-46e9-99b3-d59a017a936e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:5604
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:6140
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Reference Assemblies\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Reference Assemblies\conhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:5676
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                            PID:760
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef4406e-66fc-4207-b51f-11254a96599a.vbs"
                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:1192
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                  PID:1536
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ef4670-6741-48f6-851c-f569e33d7452.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:4608
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4412
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06815d88-7902-4e12-8bc6-620812bdb8e0.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:1820
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                              PID:1408
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ea5e85c-3c16-475b-8bc3-dfd3bb31050b.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3444
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5728
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4795f0b5-2db3-4c41-949a-fbcc9cdcbac2.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3600
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2864
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa30675c-44a2-4536-a1ca-4eacd556a4be.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:6116
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:6092
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf0f330-18ac-4299-8c8f-56e7add54f30.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2172
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5288
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8a4e2de-c848-4dc2-b3b2-14f88c105962.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3592
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f66c737-7ac1-4042-8259-06dc0dfaef87.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4024
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64283188-3e8a-40c6-9c8b-dfaec055b63c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2404
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46b81ee4-ce7a-4268-b9fb-c24170c5470e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2604
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a82fad1-cf95-4ebe-bcf2-8bd9646978ae.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4060
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96ebdf18-7a40-4551-bd06-79e02fb563a2.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3672
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f88c9d-c326-46c4-bfa1-569e5bb5fd57.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2008
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1220
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2664
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a83f19f-7904-4b6b-a9e0-e7b41cc2e553.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5688
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6116
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdfa568e-9529-4d0a-b4a8-a30ae6e6a53e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1188
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4324
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de72f4f-9a38-4403-9af1-106f41bdc482.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2056
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5772
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5985216-b963-4558-89da-ac2e32af932d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1820
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4316
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9f75d47-c4cf-4817-b665-4f1b35b2ac57.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1608
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5824
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbbc7328-63fb-4e35-8d1c-17c6d41d32b9.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ba7504-2e40-455a-9ea2-bac55c5699d4.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1384
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e27448-fab9-4cf2-b28b-36f83e73eb17.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4af5e320-11c3-4323-bce7-0836e3fc0a44.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1860f98c-f558-427b-a205-ed5b77d211af.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c997b7-bcbb-42cb-b3af-f155fc814135.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22892db-2e67-44ee-882c-b31a806f2ded.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2612
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc4791f-c505-4173-a640-3b961266c22d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5320
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\553ac95d-58ba-4d61-a962-306216ee0654.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4340
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Windows Defender\sysmon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Windows Defender\sysmon.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1576
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\GameBarPresenceWriter\taskhostw.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Common Files\dllhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Common Files\dllhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3820
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7097c13-9327-4818-acbc-c260a2495fcb.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2620
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a13bffde-c40a-427f-b24f-19fce88d192b.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f758cf-002e-49c0-99fd-d48f9268758e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\969b0534-8dd4-4944-bde0-60d1beb2b211.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37f2e19c-6c36-468c-a8e5-37a97cefa17d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb1b45e-c54c-427e-99b3-913d09863aa7.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107c0687-5b07-4ae4-ac49-4e137aec3b22.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4a3efd0-d867-4b87-975e-6f11fb8073cc.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e1e5eb-b1e3-4c9f-865f-8a5097fdfcae.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3653256-8fe4-4c0e-888b-0200b3932e43.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ac6e4aa-f6d3-424e-ace3-0591d02378fe.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\345527d2-b120-4058-a96f-86b51cde28d1.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Recovery\WindowsRE\RuntimeBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Recovery\WindowsRE\RuntimeBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\sppsvc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Default\SendTo\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Default\SendTo\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d253f2b-412b-47e6-aabf-5c2bad859b5c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e64d417-094e-4bc8-9772-9c6ca85b759e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b246990-46ed-4e7d-8c30-2c36b6132478.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6963d977-e1cb-4a0c-be51-e59f9d6e745b.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Recovery\WindowsRE\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e8d37b-df5c-4b1c-a41d-d4a6d92d1390.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a2bb604-f76e-4fd3-a650-01b6b09f93aa.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1048b06-29c7-4793-9cfb-24ff37932ae2.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be981f30-6e44-43a5-a317-7f308dc46f7c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\230067e7-497b-4131-bae7-94a481cad7d2.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fa82deb-557e-4843-9551-e5aaad4bf4ab.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Recovery\WindowsRE\winlogon.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Java\componentdriver.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Java\componentdriver.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Reference Assemblies\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Reference Assemblies\conhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Common Files\dllhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Common Files\dllhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2756

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    baf55b95da4a601229647f25dad12878

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cadef9abd087803c630df65264a6c81c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2e907f77659a6601fcc408274894da2e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3a6bad9528f8e23fb5c77fbd81fa28e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6c47b3f4e68eebd47e9332eebfd2dd4e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    67f0b143336d7db7b281ed3de5e877fa87261834

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\0b8b8d2f-b948-45e1-ba86-92f8fa81ce8e.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    484B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fdfb4af7567e5cc5ae43b2a2db2234d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d833fbd2395d88a3fce70394f0eb7e0dcdee9da6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c36cf10ba5015bdac9abf94fb95dd168c9ab6bf568adb8ecf7cf8f8bbdd612bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    11c10a0d96e68f1ac0ef9633662218d471c4d06a05b78034dfc56bbfd75281b7de8cfced539200f1805fce2271c272fad581371bc5a7dd1c992633fd9f95a60d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\196e3c15-698c-47ee-b468-4799fc211ef2.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2a4ec3341e239a8f35d51a9be649f27c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d83b95063167d5b4464c9b4b88b69d15673bc3de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5164e184df8ffec80f0c4936502dab95d840b56e22d94408180463e235323f46

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1b0b77e23ea97090bc1dc93e79c77673f7dd6fbaeb50e23ef411a47d175807d3de9e8aa47567159b1955597303957c3210d4a8a525838a0e5ea50dcd9d2389d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1fbcac25-ead4-4a29-bb13-c7d170f6a895.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e83d9d9d2e3b3ebb6a87b1cb41c4f44b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3cd4ce19b8156e187defb3d6748ab42266956441

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    dd714e4e81f21fb289d2b7d3e02db9ab4fa518276b5d76ed6e137f12c8027565

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ddaa6670eeced555e6123c424bac67145df436c55970c917e8ac5a289428479e45a0e50d2665b70a2babe318784c9b8ba5b363c4a264c2668d1df15decea0f73

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\324aaa64-253b-4630-9deb-2e323756ed95.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a994b2929b6d5778a012a266213b807a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0d5d58b484d1e4ba8bda98822098fb0598be92ad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f696ed2a23f293932d54c6d5de79bdf9b52b2172b6dc2ccf90bb2ae1ad7f63f3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    881633e57ab599a2e3a5ab0524d2d267d93bd05c12f92be9960c8e601c854f477769faadd5b977e63f97f446effe70b4fbfe9cd409575ee695496beb3e2ed7b3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\345527d2-b120-4058-a96f-86b51cde28d1.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    507B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ef443ed7fe177bf41c988631e91ffffe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0ca5d917fa585e1d139c88539966ea9c3b455e70

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a25a9d708855c04d434bfe93ced676de5ee6f8f0ca88de7437dbeb3f504b7653

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a165b09804dcd3ef4913b623439d870e78275b4ecc745b3ff9b54b66cbade26a36fc0adddffd42e6ce8404ff40d413d1cac479523036d6b0603041a9173b8221

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\604187ae-7d1b-40fb-9c4b-fd1886608995.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    25b32d61f1a001e285891cb7a2ce175d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2a0903a3a3ee3989fbe0a273f7e3595035f11bea

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9396946c8da32e22ec8578b91ef2690ea9e55268c515589320d4f9373366a3a9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d88c25a44bbe320511827731b74cc3681138d1235aceb5cc52cd2f48bf11e90ac2c24726e6ccfd3f677b365657a251e516f7eef6f2d5f583d80c6c3a1dd6bb3f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\63fa41b7-b7db-4419-b880-a1de4eedd381.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    590422bf9bb18fe1a3be3c084b824b63

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e33f04fbe420bfa27cf54baeb70baacb37ad2251

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    26603fc4664ceb7a7265fe6efa7abb436ba71a4b727b6b06ab90d38cddb55d5f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7ba0cab7623e66e25c054faa9d3ea9e45620fed825ba29b114a56324517a6e6c3d08e02b7ffdd637e7d2095e15b268db1a326084a54bcebd2e8a7f79c9dee96b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\65509e5b-b959-4e1c-84fb-6a99e645d62d.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    515B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    25a883d05508102693cbb36ab7dc98cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    56835b778452e5966274909fd12ee397cd3ea0bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    06b3a95274416ed82c77b1a2603d6090760a9460ff465157e0ceb48066552cdb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cea582d43fc277ba49ddefdf1b226677f1adecd43bdb46cedc88bd09712c0451940a0fac83babd48bd9ff594551e0e828b756bc55e9f434372de601230b99d33

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6f747303-1b14-4e1f-ae8c-220b6f67c694.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    498B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    601944d41fca7b598733cf8c16915c12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2b821f5a7d53d3f243f223cc21a6670c956bc163

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    880fdf72a574f58a843e6b846d2c3795161322059fa03e6670adc38225b2fbce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6105b8987d9d191232539f16979296d1a6e2f9266f4ef531ab9d920818d3362164c0f54ed0b56ac1c7612af58a7063ae569a592cf45d97c1c4fedba616375de6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\831d5a6e-07f7-419a-a50e-5ba25bbc58f7.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    484B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f411aa4d985ff8e1dd35c57f5f8e8ff3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4531e4accab8ed87c87b9c411c05732c2a026c5e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    995060f2dfd4dd19b6d0ff2ddcada15ce6c025f94e76af6da4e62b697f8ef418

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    19efda180b267e995bcd8ff01d0a7433cc65ef9493a823c5d3e9d32253e3dae7a1c29ed79523e374354afd2df9350cb5fd6f0805d9ce00287628f07a3e1b8e48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\8677fb49-b85f-4704-a023-06cd34cf5271.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    896023ccc23e2ec73be835ca4a7d930f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    abe27cb7a0c9c890c99101bd1e000f24cea8cd92

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a8e00a04eaca2e65c7ce430882833a185878adf91ef5496be61fa0ab0c4367e1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    66dfa2772433523efd7d3c71a586645d488102530c55d32b88cd1b6ff8b6a51acba2635bc55eedcbf28a16963223d6f6e39de4f6f64359e9fe5754e56ad143e6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\88e33aa5-0343-406a-aadf-0b8bfc3da359.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    402d576ce0dd0fcbeebe1d239c9f5529

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    340255b90bff61057d663b529f65f8ddcf67a552

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fc3611150d44f70b78c9b2a430340a29661eca7ad8065cf0655ebd77a590ac7d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    84727adcf84b059c9430f3108fc144f02006d1c2d36850c5239248bd42faf3aed1bb460363f0d7334753cf691af3d342867783028373608c10320eef02557322

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\9d880d83-f273-4881-80e2-c7d806362fea.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    486B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7300b7ca5b03885eb67ee5664a6d478a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    825eb2504950987d84ce8503cdabd785561bcb1b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0560946729e96c5c1dbe0fe95d19ef82e74ee8cd2f79a09d89351d26129e7d2a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d3c16a4905f75e122c98e7183b5be0ddec030f868b9dddcf4d5be2748cd023bef9c0f2dc9cfa0e7740435ba160d538182ac51379881c46818d06abda74ef6963

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IfCzEvpyfZ.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    211B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ab00ddf9582b2898e4b3bf174c2d3418

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d9fcf7c33cab87d488967e6da5f1e9f8c1596d54

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b6977a1f3dd879d5592a4dead0a8b90fcb1e673efdc15be239370fc24a4b6ec9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    903fe2cc0390332a1a5f8d4a95e21c031bbdc4c32bf706566bb36540ec857a072d508860e22e887b7961bbdc85ad4b1b21f2b5aea4b3578d020c055c627de057

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyswhfqu.g5a.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    60B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\a24851b3-e699-40de-9ede-9d74651990d8.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    71a58df0c1de620deed0244da46bb688

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    af97ae470713167f52d530e3adb63529eecb5f43

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f0dad5cbeb763eabb08f10ee72cfe6603a0f99d905d9f0430e5454556d58827e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a2b76e15b439f81ea726a3dc321d18f734ec096bb199f444c996c4b5bcbc816f566d79ee0037b98cc8c87dc54e44212e831284e7a9362ca7b00a06e1d5950ccb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\a3e49963-ac36-4372-8511-21ea35aac71d.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3ecbb152feecaee0659b40005667198d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    18ad8122757f8f883e3b58a85642666caf02912f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ef5d2b57569b9cb11d7ae9050a978ff820fd5c5e94e00aa6009adff02476e20c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5e94a14622ad899e2d9ac93bf2283ca9e28707641af9b8344056d254a235751776e8e6208c74738a520cec051fa8fe7a92f12e0841b776625e70b7c997675efe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\c01f9304-5872-4583-96a7-3436bbfc00ce.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    90972558455aa041dfe87db0bf931d20

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3d0a79b9fc47c0fc0eb6f0fc808759c06b5e8d5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ecf128a3864554fd54ea5ade63b5db7a24edfbb1e8c938ceb156c182287c7003

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0b4d177bb403cc2c807575e427fb1679fe7b09dcd9bcf45062be0dedd783c23378a998a1bc64750e2f7cb573f44bf5d38b4aaf009503c86639de42f682e8612f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\cb639fa4-316a-48c8-afb8-7e6e2ff989e4.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6784a079568fe34d6361eec1e2e4870b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9820c0c0784a755bfb0079df4999429e76db41c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    293a1c05a3402ad31d39e1e6d02241a48ab1fba8071e1f9feb86f419bf902334

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    300c3433f04249dfcaeb4fa2b6c55524eb2b0862a5d1d4d511b99b6b06e14d9bbdf9a5de05c763a9317b9863dc229914ec955c4355f16ab73073dbb0a68d95e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dfeeed01-b196-49e8-b25a-0ecb6b83721c.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    722B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8ecbcc5269591a13a13ceb4fbc69bb45

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7784ce3ce785a2f388a8effb2c20219da44c5d6e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b3ea8b774b41c5f3f1ca1d323a74734b20955df48d2f3b4aeb70c9f438bdfa1d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    01efb12cfc8b7da52134ab5e8921f9c23ab19778e41865641fd7b70ff7d6f47056d972c2bc28357899432e506119ab532d6bde3fb7bcc9d341d0964dd1e759e0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\f4094642-9330-4644-8629-9aca3bea93a5.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    493B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    994a63b689bafbbc616130077ded7447

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    adf8dd77063ebb6b0e0fbd0bfbfeb2f6a6363d1f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8cd070da8f738789d1422996bb63edbfd54ff29d2f61095df499c5c1f97b0b5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b9a747180305f73064c10a01e66f788a9423163b1a6486907502f872169166ddbf1376890013eba6794f53041c98937770c629a1b21c566f683b2e55ad0f1cd6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8f2fe00117d8cf1e8f32eb7bf7c5ab82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    02e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    50c3534dacb3359079f8fca6b702e98e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    85cd176c6f7c97017547aaf9b1133ca3d1fb1885

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    222B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4dad95df8fa0e085b45537e5be8778f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    044c0c326db9f180d8c79f7fd7719fac3abc69d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2876-0-0x0000000000290000-0x0000000000676000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2876-9-0x0000000000290000-0x0000000000676000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-194-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-193-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-192-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-196-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-197-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-195-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-198-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-186-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-187-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3884-188-0x0000021A9D190000-0x0000021A9D191000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4440-71-0x00000232C77C0000-0x00000232C77E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-20-0x0000000002680000-0x000000000268A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-22-0x00000000026A0000-0x00000000026AC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-21-0x0000000002690000-0x0000000002698000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-19-0x0000000002670000-0x000000000267C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-18-0x0000000002660000-0x000000000266C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-17-0x0000000002650000-0x0000000002658000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-16-0x0000000000420000-0x000000000052A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/4720-15-0x00007FFD71503000-0x00007FFD71505000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8KB