Analysis
-
max time kernel
1800s -
max time network
1794s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 14:53
Behavioral task
behavioral1
Sample
RustUpdater.exe
Resource
win10v2004-20240709-en
General
-
Target
RustUpdater.exe
-
Size
2.3MB
-
MD5
50d955b49b2a8878cdd683365c83e183
-
SHA1
9ce5bc5c6d2d71eacdd88fbdd478dd241bb96244
-
SHA256
528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78
-
SHA512
6ddb253922211164c8a236e733fa80c596fc68e6a9b3cc79f4d0e60fc7b7c01978633dd84151ca85773a0c906d8e288a34ba5d017fef4e50b094a9d808033fb2
-
SSDEEP
49152:HYcIk1q0oClfViBnxZgY4PVOZovFNf5qcusO4Dmu657stUQ+h:HY1k1boAfVizZLoRvgcgQmubkh
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 4016 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 4016 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe dcrat behavioral1/memory/4720-16-0x0000000000420000-0x000000000052A000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2432 powershell.exe 4360 powershell.exe 2456 powershell.exe 3876 powershell.exe 4440 powershell.exe 2304 powershell.exe 2560 powershell.exe 4736 powershell.exe 4632 powershell.exe 2312 powershell.exe 4156 powershell.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
componentdriver.exetaskhostw.exesppsvc.exeSppExtComObj.exeSppExtComObj.exetaskhostw.exesppsvc.exeSppExtComObj.exetaskhostw.exeSppExtComObj.exeSppExtComObj.execomponentdriver.exelsass.exeSystem.exeSppExtComObj.exesppsvc.exesppsvc.exewinlogon.exetaskhostw.exesppsvc.exesppsvc.execomponentdriver.exesppsvc.exetaskhostw.exetaskhostw.exelsass.exetaskhostw.exetaskhostw.exeSppExtComObj.exesppsvc.exetaskhostw.exetaskhostw.exetaskhostw.exeSppExtComObj.exeSppExtComObj.exeWScript.exetaskhostw.execomponentdriver.exetaskhostw.exetaskhostw.exetaskhostw.exelsass.exelsass.exewinlogon.exewinlogon.exewinlogon.exeSystem.exeSystem.exeRustUpdater.exetaskhostw.exesysmon.exeSppExtComObj.exeSystem.exelsass.exetaskhostw.exeSppExtComObj.execomponentdriver.exeSystem.exesppsvc.exetaskhostw.exeSppExtComObj.exelsass.exeSystem.exetaskhostw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation componentdriver.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation componentdriver.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation componentdriver.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation componentdriver.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation RustUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation componentdriver.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation sppsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation taskhostw.exe -
Executes dropped EXE 64 IoCs
Processes:
componentdriver.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.execomponentdriver.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exewinlogon.exedllhost.exetaskhostw.exewinlogon.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesysmon.exetaskhostw.exesppsvc.exesysmon.exelsass.exeRuntimeBroker.exelsass.execomponentdriver.exeSystem.execonhost.execomponentdriver.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exepid process 4720 componentdriver.exe 5336 taskhostw.exe 5776 taskhostw.exe 6004 taskhostw.exe 5232 taskhostw.exe 4228 taskhostw.exe 6092 taskhostw.exe 4196 taskhostw.exe 5724 taskhostw.exe 4420 taskhostw.exe 5248 taskhostw.exe 4176 taskhostw.exe 1188 taskhostw.exe 740 taskhostw.exe 1820 taskhostw.exe 5420 taskhostw.exe 5128 taskhostw.exe 4220 taskhostw.exe 3676 taskhostw.exe 3644 taskhostw.exe 4736 taskhostw.exe 4996 taskhostw.exe 5948 taskhostw.exe 2464 taskhostw.exe 1272 taskhostw.exe 1592 taskhostw.exe 1880 taskhostw.exe 4456 taskhostw.exe 1576 taskhostw.exe 5212 taskhostw.exe 3524 taskhostw.exe 2952 componentdriver.exe 4124 taskhostw.exe 5588 taskhostw.exe 1348 taskhostw.exe 5568 taskhostw.exe 1032 taskhostw.exe 64 taskhostw.exe 2376 winlogon.exe 4452 dllhost.exe 632 taskhostw.exe 1772 winlogon.exe 5364 sppsvc.exe 3052 sppsvc.exe 5176 sppsvc.exe 5084 sppsvc.exe 5500 sppsvc.exe 4932 sppsvc.exe 2976 sppsvc.exe 5288 sppsvc.exe 3396 sysmon.exe 1916 taskhostw.exe 2476 sppsvc.exe 2948 sysmon.exe 4880 lsass.exe 2428 RuntimeBroker.exe 228 lsass.exe 6104 componentdriver.exe 3416 System.exe 5916 conhost.exe 5776 componentdriver.exe 5536 SppExtComObj.exe 824 SppExtComObj.exe 5832 SppExtComObj.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
Processes:
flow ioc 222 pastebin.com 228 pastebin.com 248 pastebin.com 264 pastebin.com 34 pastebin.com 67 pastebin.com 270 pastebin.com 88 pastebin.com 137 pastebin.com 147 pastebin.com 206 pastebin.com 131 pastebin.com 210 pastebin.com 237 pastebin.com 275 pastebin.com 33 pastebin.com 117 pastebin.com 200 pastebin.com 204 pastebin.com 156 pastebin.com 277 pastebin.com 202 pastebin.com 235 pastebin.com 260 pastebin.com 273 pastebin.com 109 pastebin.com 121 pastebin.com 125 pastebin.com 164 pastebin.com 256 pastebin.com 139 pastebin.com 185 pastebin.com 208 pastebin.com 215 pastebin.com 132 pastebin.com 187 pastebin.com 258 pastebin.com 241 pastebin.com 105 pastebin.com 123 pastebin.com 146 pastebin.com 195 pastebin.com 161 pastebin.com 189 pastebin.com 254 pastebin.com 272 pastebin.com 86 pastebin.com 98 pastebin.com 181 pastebin.com 212 pastebin.com 245 pastebin.com 224 pastebin.com 101 pastebin.com 226 pastebin.com 230 pastebin.com 246 pastebin.com 160 pastebin.com 168 pastebin.com 191 pastebin.com 268 pastebin.com 53 pastebin.com 119 pastebin.com 127 pastebin.com 141 pastebin.com -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\system32\taskschd.msc mmc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
RustUpdater.exepid process 2876 RustUpdater.exe -
Drops file in Program Files directory 17 IoCs
Processes:
componentdriver.exedescription ioc process File created C:\Program Files\Reference Assemblies\conhost.exe componentdriver.exe File created C:\Program Files\Reference Assemblies\088424020bedd6 componentdriver.exe File created C:\Program Files\Common Files\dllhost.exe componentdriver.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe componentdriver.exe File created C:\Program Files\Windows Defender\sysmon.exe componentdriver.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe componentdriver.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\6203df4a6bafc7 componentdriver.exe File created C:\Program Files\Common Files\5940a34987c991 componentdriver.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\e1ef82546f0b02 componentdriver.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe componentdriver.exe File created C:\Program Files\Java\componentdriver.exe componentdriver.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe componentdriver.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\088424020bedd6 componentdriver.exe File created C:\Program Files\Java\971d37d99120a6 componentdriver.exe File created C:\Program Files\Windows Defender\121e5b5079f7c0 componentdriver.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe componentdriver.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\088424020bedd6 componentdriver.exe -
Drops file in Windows directory 4 IoCs
Processes:
componentdriver.exedescription ioc process File created C:\Windows\Branding\Basebrd\componentdriver.exe componentdriver.exe File created C:\Windows\Branding\Basebrd\971d37d99120a6 componentdriver.exe File created C:\Windows\GameBarPresenceWriter\taskhostw.exe componentdriver.exe File created C:\Windows\GameBarPresenceWriter\ea9f0e6c9e2dcd componentdriver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 64 IoCs
Processes:
System.exeSystem.exelsass.exesppsvc.exeSppExtComObj.exewinlogon.exetaskhostw.exetaskhostw.exeSppExtComObj.exeSppExtComObj.execomponentdriver.execomponentdriver.exelsass.exeSppExtComObj.exeSppExtComObj.exetaskhostw.exetaskhostw.exeSystem.exeSppExtComObj.exeSppExtComObj.exelsass.exetaskhostw.exewinlogon.exeSppExtComObj.exetaskhostw.exesppsvc.exeSystem.exesppsvc.exewinlogon.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exetaskmgr.exetaskhostw.exetaskhostw.exeSystem.exeSystem.exetaskhostw.exesppsvc.exetaskhostw.exetaskhostw.exetaskhostw.exesppsvc.exesppsvc.exeSystem.exetaskhostw.exetaskhostw.exewinlogon.execomponentdriver.exetaskhostw.exelsass.exesppsvc.exewinlogon.exetaskhostw.exetaskhostw.exetaskhostw.exewinlogon.exeRustUpdater.exetaskhostw.exetaskhostw.exesppsvc.execomponentdriver.exesppsvc.exeSystem.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings componentdriver.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings componentdriver.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings componentdriver.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings lsass.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings RustUpdater.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings componentdriver.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings sppsvc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings System.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3508 schtasks.exe 2068 schtasks.exe 3408 schtasks.exe 2756 schtasks.exe 3896 schtasks.exe 4496 schtasks.exe 2476 schtasks.exe 4124 schtasks.exe 1620 schtasks.exe 2836 schtasks.exe 4592 schtasks.exe 4312 schtasks.exe 1724 schtasks.exe 2276 schtasks.exe 2288 schtasks.exe 2952 schtasks.exe 4904 schtasks.exe 2644 schtasks.exe 1224 schtasks.exe 2604 schtasks.exe 3272 schtasks.exe 4364 schtasks.exe 3780 schtasks.exe 1216 schtasks.exe 1364 schtasks.exe 2960 schtasks.exe 1272 schtasks.exe 2544 schtasks.exe 2204 schtasks.exe 1628 schtasks.exe 2620 schtasks.exe 4776 schtasks.exe 2064 schtasks.exe 4508 schtasks.exe 2344 schtasks.exe 1420 schtasks.exe 3784 schtasks.exe 3244 schtasks.exe 5068 schtasks.exe 4880 schtasks.exe 1956 schtasks.exe 4176 schtasks.exe 1692 schtasks.exe 3352 schtasks.exe 3740 schtasks.exe 4972 schtasks.exe 4820 schtasks.exe 1616 schtasks.exe 2656 schtasks.exe 1976 schtasks.exe 3144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
componentdriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exetaskhostw.exepid process 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4720 componentdriver.exe 4440 powershell.exe 4440 powershell.exe 4736 powershell.exe 4736 powershell.exe 2312 powershell.exe 2312 powershell.exe 2432 powershell.exe 2432 powershell.exe 2560 powershell.exe 2560 powershell.exe 4156 powershell.exe 4156 powershell.exe 4360 powershell.exe 4360 powershell.exe 2456 powershell.exe 2456 powershell.exe 4632 powershell.exe 4632 powershell.exe 3876 powershell.exe 3876 powershell.exe 2304 powershell.exe 2304 powershell.exe 2560 powershell.exe 3884 taskmgr.exe 3884 taskmgr.exe 4440 powershell.exe 2432 powershell.exe 2312 powershell.exe 4360 powershell.exe 2456 powershell.exe 4156 powershell.exe 2304 powershell.exe 4632 powershell.exe 4736 powershell.exe 3876 powershell.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 5336 taskhostw.exe 5336 taskhostw.exe 5336 taskhostw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 1016 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
componentdriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exemmc.exedescription pid process Token: SeDebugPrivilege 4720 componentdriver.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 4632 powershell.exe Token: SeDebugPrivilege 3876 powershell.exe Token: SeDebugPrivilege 3884 taskmgr.exe Token: SeSystemProfilePrivilege 3884 taskmgr.exe Token: SeCreateGlobalPrivilege 3884 taskmgr.exe Token: SeDebugPrivilege 5336 taskhostw.exe Token: SeDebugPrivilege 5776 taskhostw.exe Token: SeDebugPrivilege 6004 taskhostw.exe Token: 33 3884 taskmgr.exe Token: SeIncBasePriorityPrivilege 3884 taskmgr.exe Token: SeDebugPrivilege 5232 taskhostw.exe Token: SeDebugPrivilege 4228 taskhostw.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe Token: 33 1016 mmc.exe Token: SeIncBasePriorityPrivilege 1016 mmc.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
Processes:
taskmgr.exepid process 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe -
Suspicious use of SendNotifyMessage 53 IoCs
Processes:
taskmgr.exepid process 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe 3884 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
RustUpdater.exemmc.exepid process 2876 RustUpdater.exe 1016 mmc.exe 1016 mmc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
RustUpdater.exeWScript.execmd.execomponentdriver.execmd.exetaskhostw.exeWScript.exetaskhostw.exeWScript.exetaskhostw.exeWScript.exetaskhostw.exeWScript.exetaskhostw.exedescription pid process target process PID 2876 wrote to memory of 3660 2876 RustUpdater.exe WScript.exe PID 2876 wrote to memory of 3660 2876 RustUpdater.exe WScript.exe PID 2876 wrote to memory of 3660 2876 RustUpdater.exe WScript.exe PID 3660 wrote to memory of 5112 3660 WScript.exe cmd.exe PID 3660 wrote to memory of 5112 3660 WScript.exe cmd.exe PID 3660 wrote to memory of 5112 3660 WScript.exe cmd.exe PID 5112 wrote to memory of 4720 5112 cmd.exe componentdriver.exe PID 5112 wrote to memory of 4720 5112 cmd.exe componentdriver.exe PID 4720 wrote to memory of 3876 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 3876 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2456 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2456 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2312 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2312 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4440 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4440 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4632 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4632 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4360 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4360 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2432 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2432 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4736 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4736 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2560 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2560 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2304 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 2304 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4156 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 4156 4720 componentdriver.exe powershell.exe PID 4720 wrote to memory of 3112 4720 componentdriver.exe cmd.exe PID 4720 wrote to memory of 3112 4720 componentdriver.exe cmd.exe PID 3112 wrote to memory of 3904 3112 cmd.exe w32tm.exe PID 3112 wrote to memory of 3904 3112 cmd.exe w32tm.exe PID 3112 wrote to memory of 5336 3112 cmd.exe taskhostw.exe PID 3112 wrote to memory of 5336 3112 cmd.exe taskhostw.exe PID 5336 wrote to memory of 5452 5336 taskhostw.exe WScript.exe PID 5336 wrote to memory of 5452 5336 taskhostw.exe WScript.exe PID 5336 wrote to memory of 5492 5336 taskhostw.exe WScript.exe PID 5336 wrote to memory of 5492 5336 taskhostw.exe WScript.exe PID 5452 wrote to memory of 5776 5452 WScript.exe taskhostw.exe PID 5452 wrote to memory of 5776 5452 WScript.exe taskhostw.exe PID 5776 wrote to memory of 5884 5776 taskhostw.exe WScript.exe PID 5776 wrote to memory of 5884 5776 taskhostw.exe WScript.exe PID 5776 wrote to memory of 5932 5776 taskhostw.exe WScript.exe PID 5776 wrote to memory of 5932 5776 taskhostw.exe WScript.exe PID 5884 wrote to memory of 6004 5884 WScript.exe taskhostw.exe PID 5884 wrote to memory of 6004 5884 WScript.exe taskhostw.exe PID 6004 wrote to memory of 6104 6004 taskhostw.exe WScript.exe PID 6004 wrote to memory of 6104 6004 taskhostw.exe WScript.exe PID 6004 wrote to memory of 3188 6004 taskhostw.exe WScript.exe PID 6004 wrote to memory of 3188 6004 taskhostw.exe WScript.exe PID 6104 wrote to memory of 5232 6104 WScript.exe taskhostw.exe PID 6104 wrote to memory of 5232 6104 WScript.exe taskhostw.exe PID 5232 wrote to memory of 5480 5232 taskhostw.exe WScript.exe PID 5232 wrote to memory of 5480 5232 taskhostw.exe WScript.exe PID 5232 wrote to memory of 1048 5232 taskhostw.exe WScript.exe PID 5232 wrote to memory of 1048 5232 taskhostw.exe WScript.exe PID 5480 wrote to memory of 4228 5480 WScript.exe taskhostw.exe PID 5480 wrote to memory of 4228 5480 WScript.exe taskhostw.exe PID 4228 wrote to memory of 3396 4228 taskhostw.exe WScript.exe PID 4228 wrote to memory of 3396 4228 taskhostw.exe WScript.exe PID 4228 wrote to memory of 3484 4228 taskhostw.exe WScript.exe PID 4228 wrote to memory of 3484 4228 taskhostw.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IfCzEvpyfZ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3904
-
-
C:\Windows\GameBarPresenceWriter\taskhostw.exe"C:\Windows\GameBarPresenceWriter\taskhostw.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63fa41b7-b7db-4419-b880-a1de4eedd381.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:5452 -
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5776 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\324aaa64-253b-4630-9deb-2e323756ed95.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:5884 -
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6004 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3e49963-ac36-4372-8511-21ea35aac71d.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:6104 -
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5232 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbcac25-ead4-4a29-bb13-c7d170f6a895.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:5480 -
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e33aa5-0343-406a-aadf-0b8bfc3da359.vbs"15⤵PID:3396
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe16⤵
- Executes dropped EXE
- Modifies registry class
PID:6092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604187ae-7d1b-40fb-9c4b-fd1886608995.vbs"17⤵PID:4748
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe18⤵
- Checks computer location settings
- Executes dropped EXE
PID:4196 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a24851b3-e699-40de-9ede-9d74651990d8.vbs"19⤵PID:2728
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\196e3c15-698c-47ee-b468-4799fc211ef2.vbs"21⤵PID:5912
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe22⤵
- Checks computer location settings
- Executes dropped EXE
PID:4420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfeeed01-b196-49e8-b25a-0ecb6b83721c.vbs"23⤵PID:5956
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe24⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb639fa4-316a-48c8-afb8-7e6e2ff989e4.vbs"25⤵PID:1840
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8677fb49-b85f-4704-a023-06cd34cf5271.vbs"27⤵PID:2784
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe28⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c01f9304-5872-4583-96a7-3436bbfc00ce.vbs"29⤵PID:3624
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe30⤵
- Executes dropped EXE
PID:740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ccb56d3-f1c9-4f1e-b471-c8b75eb92b4a.vbs"31⤵PID:3032
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff7ed01b-cf15-4f16-86d0-d3acd00b8bd1.vbs"33⤵PID:4856
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:5420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ef3bc5-a3e2-4735-a52b-dd5bcb432125.vbs"35⤵PID:5928
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe36⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a04c057-77ad-4fa2-a005-64403bd33aeb.vbs"37⤵PID:1880
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4220 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc1301de-41ee-4487-bbd6-fc75b1da41b2.vbs"39⤵PID:856
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc1759f4-e15b-466b-b4d2-8290fd85050d.vbs"41⤵PID:4176
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe42⤵
- Checks computer location settings
- Executes dropped EXE
PID:3644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b20ff5-59bb-4671-9166-d8d1fdf00445.vbs"43⤵PID:2972
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6b1d09-9e19-48de-a58e-74a831c3d24e.vbs"45⤵PID:3192
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9a29ea-04c6-43f7-b888-9c7d68741576.vbs"47⤵PID:3840
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:5948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6311f32f-100c-4875-9cd7-cf5576beb386.vbs"49⤵PID:5216
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfc780bc-897c-40c2-99ac-6ff950e2a078.vbs"51⤵PID:1952
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe52⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3efe1b-4c8f-452b-b7e1-4183dec794e9.vbs"53⤵PID:5500
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b708f3-5618-401b-85be-8b6d6a8052db.vbs"55⤵PID:1500
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe56⤵
- Checks computer location settings
- Executes dropped EXE
PID:1880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdb13599-1004-423a-879a-66bf67b667b9.vbs"57⤵PID:3600
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a30f28-6c91-45d8-bc37-0b90028bd6a9.vbs"59⤵PID:2992
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd0bb3d5-489e-4fa1-a824-b5a7e3295305.vbs"61⤵PID:4684
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe62⤵
- Executes dropped EXE
PID:5212 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba3b494-2274-436e-87be-47117ac45881.vbs"63⤵PID:4704
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe64⤵
- Checks computer location settings
- Executes dropped EXE
PID:3524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec318e83-c5d3-4956-8632-b3cf1cc85f21.vbs"65⤵PID:3988
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe66⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4124 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ce240b-8bdf-4f2e-bc06-9c5288043dcb.vbs"67⤵PID:4392
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe68⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5588 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa67193c-5380-4caa-8037-c2eac81d3260.vbs"69⤵PID:5944
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe70⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e1785a-63d3-431e-8611-0b46e742ac35.vbs"71⤵PID:4512
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe72⤵
- Checks computer location settings
- Executes dropped EXE
PID:5568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab326257-dc63-4469-8c88-771f48d3e310.vbs"73⤵PID:3112
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe74⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba6ef34-916b-4350-ab21-b547f20389e2.vbs"75⤵PID:1500
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe76⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:64 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e06bd8-e1a7-41d5-bec6-2e91c1d0fb94.vbs"77⤵PID:5920
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe78⤵
- Executes dropped EXE
PID:632
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8baf57e1-1dd4-4807-af10-ec521c1cc55d.vbs"77⤵PID:2288
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d5c4f6-d9ea-46a2-97a5-788edf21ed15.vbs"75⤵PID:1880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2896a0-6369-449f-9a6b-5b6b95a3ecee.vbs"73⤵PID:1300
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8585bd84-09d3-470e-b86f-6c454ccc99ac.vbs"71⤵PID:400
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c20f23da-de55-4259-8001-74c7fd445e6b.vbs"69⤵PID:5520
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b76348a4-968a-47a2-ad8b-f380b5f3dabd.vbs"67⤵PID:5172
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69a57f4d-f609-4d6f-8884-dc838807b654.vbs"65⤵PID:5540
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48a9fc52-54e0-4c6c-b1e9-585a2dc77827.vbs"63⤵PID:5564
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf4fafbf-2aca-42f7-8992-f30a8037132e.vbs"61⤵PID:5188
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38fc232c-3fe2-4eab-8780-aaa8945a8b86.vbs"59⤵PID:4064
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ded84253-66da-469e-9313-35238548c9c7.vbs"57⤵PID:1028
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a7f23ed-1361-49fd-9905-ff4ac6a6f143.vbs"55⤵PID:5656
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3414ffe4-34a6-45d8-a8a5-f2a37710edd4.vbs"53⤵PID:6080
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb961314-80d8-47c2-9509-421007a1f846.vbs"51⤵PID:4500
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500724ef-de1d-46c4-8d9f-03d1869ea2fe.vbs"49⤵PID:428
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fa57da-7a59-4729-8f33-40e629e84dae.vbs"47⤵PID:672
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcb300af-2837-401d-a805-fab0b78f7289.vbs"45⤵PID:4524
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de0777e8-de5c-4a5a-820c-f77d450f8bef.vbs"43⤵PID:6108
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a61da8b2-d98b-49ec-9976-f904c74685c9.vbs"41⤵PID:2452
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e32a1dfe-246a-4786-8770-2f4086624e9f.vbs"39⤵PID:832
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a659914-903e-4d56-9e6b-7f8fd331ae3b.vbs"37⤵PID:5572
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d7e304-6b7f-4ace-a12e-fc8d3fbb15ae.vbs"35⤵PID:5428
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa07c047-e0ea-4835-a6f2-e8fbaf7eb160.vbs"33⤵PID:3560
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b327bec-a45c-456f-b21a-b5efb7666ab0.vbs"31⤵PID:1964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854ecc17-2d45-49d1-b8bd-be9d607135c4.vbs"29⤵PID:5148
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abe79d75-2ced-4a50-b2d4-f3999691fd46.vbs"27⤵PID:5164
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bccbb18-0ced-470f-b752-0b885a3a74b8.vbs"25⤵PID:5160
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9fa7cc0-f8b8-4f7a-8823-1aa21af9d752.vbs"23⤵PID:4900
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a68f37e-82a4-4ebd-ba6e-5da388a86c4a.vbs"21⤵PID:5804
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7c333ea-d56d-487d-9024-cffd4f2c3e04.vbs"19⤵PID:5424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a324054-0f18-4199-b730-9e7c729199d2.vbs"17⤵PID:4720
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05ffdb5e-c30b-47b7-82ef-c53d2029d778.vbs"15⤵PID:3484
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85ea9783-fd6d-4bc1-bd8a-92eb8dd0de28.vbs"13⤵PID:1048
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10c63abe-eeed-48e1-8824-0096ee44dd9d.vbs"11⤵PID:3188
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e1e2ed-bcc0-4c33-8ccf-5cacd4e9e916.vbs"9⤵PID:5932
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f747303-1b14-4e1f-ae8c-220b6f67c694.vbs"7⤵PID:5492
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\componentdriver.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Program Files\Java\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3884
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5712
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"1⤵
- Executes dropped EXE
PID:2952
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4f0160-dbeb-452d-ba2d-4178d9abbfd3.vbs"2⤵PID:3876
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe3⤵
- Executes dropped EXE
PID:1772
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\445dc2b1-6e21-421f-8b89-0ff0371cd3f2.vbs"2⤵PID:2992
-
-
C:\Program Files\Common Files\dllhost.exe"C:\Program Files\Common Files\dllhost.exe"1⤵
- Executes dropped EXE
PID:4452
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe1⤵
- Executes dropped EXE
PID:5364 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a40a23d-4a35-4eed-b765-b5a9df340ad4.vbs"2⤵PID:5856
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe3⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4214bda3-7374-4bb4-8f85-3473086143ce.vbs"4⤵PID:2464
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24322670-510f-42c4-8bb5-5eab3ba4896a.vbs"6⤵PID:5076
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe7⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd24ec9-f62c-4ee3-b7d7-c1c13e3b5f53.vbs"8⤵PID:1272
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5500 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92111412-6503-4c0d-9906-3987339a01e9.vbs"10⤵PID:3936
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe11⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\368cfc48-2828-416d-a824-e2476bf5cc46.vbs"12⤵PID:1492
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ff94055-eee1-446f-89f7-372268f55323.vbs"14⤵PID:644
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe15⤵
- Executes dropped EXE
- Modifies registry class
PID:5288 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac31ea45-b09c-4534-a9d0-e0e40fe5392a.vbs"16⤵PID:1976
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe17⤵
- Executes dropped EXE
PID:2476
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17eaac80-777a-4c2b-bb81-033d7b177ede.vbs"16⤵PID:1772
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17ef77d1-d846-4ecb-99f4-f62b7db131d0.vbs"14⤵PID:2276
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f335e810-bc1a-42be-85b0-420e92e939d1.vbs"12⤵PID:5400
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c49a69dd-8c67-4aa0-a43c-7adc0b8557c7.vbs"10⤵PID:2360
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d8154e-9d83-4d98-a815-f5d2ea6c094c.vbs"8⤵PID:4992
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec83fb6-2be9-433a-8ec2-22fb5519cdd3.vbs"6⤵PID:4588
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\831d5a6e-07f7-419a-a50e-5ba25bbc58f7.vbs"4⤵PID:5404
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc04cf55-f50e-456b-93d6-b2ffc3ddf5fa.vbs"2⤵PID:4652
-
-
C:\Program Files\Windows Defender\sysmon.exe"C:\Program Files\Windows Defender\sysmon.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51a989f1-e308-4dff-906d-edfa919e153e.vbs"2⤵PID:3244
-
C:\Program Files\Windows Defender\sysmon.exe"C:\Program Files\Windows Defender\sysmon.exe"3⤵
- Executes dropped EXE
PID:2948
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2e597f-0e9b-4cc1-b46c-9af09d6b1502.vbs"2⤵PID:1008
-
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe1⤵
- Executes dropped EXE
PID:1916
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\057702a4-d498-4dc1-95b7-7662b4bf6c82.vbs"2⤵PID:5460
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"3⤵
- Executes dropped EXE
PID:228
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b6f7b0-6e32-420c-a400-49aff09bc138.vbs"2⤵PID:2872
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵
- Executes dropped EXE
PID:2428
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"1⤵
- Executes dropped EXE
PID:6104 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e62c8938-9ad7-4046-9a79-c8607b4b8d16.vbs"2⤵PID:3820
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"3⤵
- Executes dropped EXE
PID:5776
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79bbd1c5-aee0-4286-9941-007d513491b7.vbs"2⤵PID:3648
-
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe1⤵
- Executes dropped EXE
PID:3416
-
C:\Program Files\Reference Assemblies\conhost.exe"C:\Program Files\Reference Assemblies\conhost.exe"1⤵
- Executes dropped EXE
PID:5916
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1318c91-85a0-4351-aa55-08119230c92c.vbs"2⤵PID:5952
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"3⤵
- Executes dropped EXE
PID:824 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8117e60d-7c23-45b2-a588-8fd87c322360.vbs"4⤵PID:5868
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"5⤵
- Executes dropped EXE
- Modifies registry class
PID:5832 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c745f54-859c-48fc-a393-4a825fccbe01.vbs"6⤵PID:1536
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"7⤵PID:4248
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6cdf19a-1894-4ad2-82ae-c81c6e64163f.vbs"8⤵PID:4484
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"9⤵
- Checks computer location settings
PID:5524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e329c00-a646-4650-aa5c-b28a2894f1ca.vbs"10⤵PID:5764
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"11⤵PID:3224
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c519d48f-cd12-42b1-88f6-631a5cf15220.vbs"12⤵PID:5176
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"13⤵
- Checks computer location settings
- Modifies registry class
PID:1580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c10c2a9-7d63-4565-9894-73eba881c206.vbs"14⤵PID:4284
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"15⤵PID:3132
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\142f0424-15c6-478c-924d-4e6b0c363903.vbs"16⤵PID:224
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"17⤵
- Checks computer location settings
- Modifies registry class
PID:5916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\692a3380-5008-43af-b890-d3ff100efb74.vbs"18⤵PID:2520
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"19⤵
- Checks computer location settings
PID:2260 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a0ea935-263e-4401-8836-8d85086a1a7e.vbs"20⤵PID:2068
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"21⤵
- Checks computer location settings
PID:5068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42f1cb09-2267-448a-8010-4809502046fe.vbs"22⤵PID:2680
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"23⤵
- Checks computer location settings
PID:4396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc37a1fe-754b-44eb-9b30-fc5075318517.vbs"24⤵PID:2256
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"25⤵
- Modifies registry class
PID:4144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef2bb337-4d40-4b77-885c-70e367ad19eb.vbs"26⤵PID:5760
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"27⤵
- Modifies registry class
PID:1956 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ba4984-fef8-4050-bb13-e7e39299f754.vbs"28⤵PID:4460
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"29⤵
- Checks computer location settings
- Modifies registry class
PID:744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abd383e9-f9ea-42f9-ba17-09ce39389c7a.vbs"30⤵PID:5588
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"31⤵PID:4988
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8be40d4-a2f7-4900-a56e-b5b5d663c002.vbs"32⤵PID:2580
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"33⤵
- Checks computer location settings
- Modifies registry class
PID:3120 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f37bac8d-4e2b-425e-b729-cf2dc983c6aa.vbs"34⤵PID:4676
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"35⤵
- Checks computer location settings
- Modifies registry class
PID:796 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79165b12-2ec4-45c5-ba30-f93d68f80769.vbs"36⤵PID:4436
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"37⤵
- Checks computer location settings
- Modifies registry class
PID:976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d7366f7-6295-46b8-883a-cfee7377a0cc.vbs"38⤵PID:4736
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"39⤵
- Checks computer location settings
- Modifies registry class
PID:5036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5f796f-d784-4100-9275-afd83c73a291.vbs"40⤵PID:3180
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"41⤵PID:5296
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85188f1d-700d-4016-b9c9-72bd309bd7e5.vbs"40⤵PID:3468
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2011474-fdec-492a-8fce-bbdc528d84fd.vbs"38⤵PID:468
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcba4439-57ce-40d6-9284-174a63dc5c4e.vbs"36⤵PID:1696
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30368f87-5b58-4f77-bff4-6993485d297b.vbs"34⤵PID:5916
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dc53452-72e5-44b7-bc9e-c3051c499dcd.vbs"32⤵PID:4284
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df8ec280-3f68-4e8a-a9e9-867b4ddcabb9.vbs"30⤵PID:5360
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449afa59-4634-4de1-992c-784f32edc3dd.vbs"28⤵PID:5592
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9f38a0-bdc0-4468-8c41-5704e7776c51.vbs"26⤵PID:1972
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dac9b1e-42c1-43f6-be1c-be4b9db9997c.vbs"24⤵PID:3124
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d8f238-3f0b-4d91-8b38-cc3e287b3c76.vbs"22⤵PID:4072
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1eaba45-2e26-41e6-ad93-1d5091d648cd.vbs"20⤵PID:1492
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58b2e67a-d6ff-4fe5-bbb8-ed55380cb4f8.vbs"18⤵PID:3016
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a742602f-739b-4808-9d05-13e34cad85cf.vbs"16⤵PID:5108
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ed34b8-5ffa-4b21-bc06-55a4b9405630.vbs"14⤵PID:4300
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1865d728-2549-454f-b24f-5710438ad28c.vbs"12⤵PID:3620
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db558666-b7b3-4609-9ab2-a3d5db62bf80.vbs"10⤵PID:1888
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cafd109f-ba76-4aa9-9770-b582e3b38de3.vbs"8⤵PID:3244
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe128562-0449-4916-84f1-6f516fa78541.vbs"6⤵PID:3464
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65509e5b-b959-4e1c-84fb-6a99e645d62d.vbs"4⤵PID:1400
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34dcf5c6-0c7c-4b63-9662-0ce2f1c1fcc7.vbs"2⤵PID:5228
-
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe1⤵PID:3528
-
C:\Program Files\Common Files\dllhost.exe"C:\Program Files\Common Files\dllhost.exe"1⤵PID:5464
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe1⤵
- Checks computer location settings
- Modifies registry class
PID:5996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e6fe78b-8b5e-4ee8-89a2-c0c9b4a508a0.vbs"2⤵PID:3748
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe3⤵PID:4880
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36a6e360-3ed1-48a0-8d7f-446dabc895e5.vbs"2⤵PID:3004
-
-
C:\Users\Default\SendTo\explorer.exeC:\Users\Default\SendTo\explorer.exe1⤵PID:452
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"1⤵
- Checks computer location settings
PID:4668 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05babe49-1481-44c4-9537-c92b000e38e8.vbs"2⤵PID:1580
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"3⤵
- Checks computer location settings
PID:4664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b272904e-9bf5-401d-8d1b-087f66f2cfc7.vbs"4⤵PID:2112
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"5⤵
- Modifies registry class
PID:1172 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c70ec69-c6c6-45fd-8599-69b1eab1a84b.vbs"6⤵PID:4348
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"7⤵
- Checks computer location settings
- Modifies registry class
PID:4792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\537c8b00-295b-417f-88bb-91d257e6fbc7.vbs"8⤵PID:3036
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"9⤵
- Checks computer location settings
- Modifies registry class
PID:6140 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ab00e74-10fe-46f4-927c-a05e5e55b19a.vbs"10⤵PID:4312
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"11⤵PID:5208
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6ba33ca-04bc-48ea-bac5-ca1cd74a2b31.vbs"12⤵PID:3312
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"13⤵PID:2988
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdd2479-6a8e-450d-ac57-c0186299d054.vbs"14⤵PID:1252
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"15⤵PID:640
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e86785e0-ec96-4f48-9767-64439efbccc0.vbs"14⤵PID:4456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec097f6-e1ea-43e0-94dc-bbc2d6116b0e.vbs"12⤵PID:3840
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b5bd040-4862-4bf2-bffa-4099b2771c24.vbs"10⤵PID:3264
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5f24c5c-7dea-478b-b2cf-ca800eecbe83.vbs"8⤵PID:1412
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\543671aa-e94e-4ca0-89ae-d215834ff9f0.vbs"6⤵PID:2952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4291c968-6381-4e9a-b5a3-81ff7614d460.vbs"4⤵PID:5696
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4094642-9330-4644-8629-9aca3bea93a5.vbs"2⤵PID:5136
-
-
C:\Program Files\Windows Defender\sysmon.exe"C:\Program Files\Windows Defender\sysmon.exe"1⤵PID:4896
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe1⤵PID:228
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe1⤵
- Checks computer location settings
PID:4616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a78d28-f1aa-462e-a330-b424f31259eb.vbs"2⤵PID:232
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe3⤵PID:2984
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d880d83-f273-4881-80e2-c7d806362fea.vbs"2⤵PID:2772
-
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"1⤵PID:924
-
C:\Program Files\Common Files\dllhost.exe"C:\Program Files\Common Files\dllhost.exe"1⤵PID:3048
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵PID:3112
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe1⤵
- Modifies registry class
PID:3192 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cb280db-4467-43c6-ba37-5e2d8247c332.vbs"2⤵PID:5528
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe3⤵
- Checks computer location settings
- Modifies registry class
PID:3312 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f9600c-5da5-4c05-8692-4e710697144d.vbs"4⤵PID:4932
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe5⤵PID:4692
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08777abf-3d13-4606-8c90-2046dce7d6be.vbs"6⤵PID:5692
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe7⤵
- Checks computer location settings
PID:2716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cfa47e7-b41a-472f-87b5-f7b3e49dfe6e.vbs"8⤵PID:3408
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe9⤵
- Modifies registry class
PID:2664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dda02311-a2c3-4fdc-9f91-15a31d3d721f.vbs"10⤵PID:212
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe11⤵
- Modifies registry class
PID:736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60cd3c1f-244e-4208-8f75-83dbb7ee39f3.vbs"12⤵PID:3040
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe13⤵
- Modifies registry class
PID:4448 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313e1a65-9f27-4447-81e2-807867ec150a.vbs"14⤵PID:4892
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe15⤵PID:3396
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4157040-0083-4f45-9bad-46dd10c02056.vbs"14⤵PID:5880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a339faa-6ac3-4677-946f-625d26087bd9.vbs"12⤵PID:2176
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c0c8d48-8acd-4808-9eca-7dcad4b4fc9a.vbs"10⤵PID:4752
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7063ae3a-3916-432b-842f-63fb708355c5.vbs"8⤵PID:2280
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee550d42-49ea-4051-8547-2c4ba429ce65.vbs"6⤵PID:5652
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8b8d2f-b948-45e1-ba86-92f8fa81ce8e.vbs"4⤵PID:4880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623f17cc-9c17-46e9-99b3-d59a017a936e.vbs"2⤵PID:5604
-
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"1⤵PID:6140
-
C:\Program Files\Reference Assemblies\conhost.exe"C:\Program Files\Reference Assemblies\conhost.exe"1⤵PID:5676
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe1⤵
- Checks computer location settings
PID:760 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef4406e-66fc-4207-b51f-11254a96599a.vbs"2⤵PID:1192
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe3⤵
- Checks computer location settings
- Modifies registry class
PID:1536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ef4670-6741-48f6-851c-f569e33d7452.vbs"4⤵PID:4608
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe5⤵
- Checks computer location settings
- Modifies registry class
PID:4412 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06815d88-7902-4e12-8bc6-620812bdb8e0.vbs"6⤵PID:1820
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe7⤵
- Checks computer location settings
PID:1408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ea5e85c-3c16-475b-8bc3-dfd3bb31050b.vbs"8⤵PID:3444
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe9⤵PID:5728
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4795f0b5-2db3-4c41-949a-fbcc9cdcbac2.vbs"10⤵PID:3600
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe11⤵
- Modifies registry class
PID:2864 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa30675c-44a2-4536-a1ca-4eacd556a4be.vbs"12⤵PID:6116
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe13⤵
- Checks computer location settings
PID:6092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf0f330-18ac-4299-8c8f-56e7add54f30.vbs"14⤵PID:2172
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe15⤵PID:5288
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8a4e2de-c848-4dc2-b3b2-14f88c105962.vbs"14⤵PID:3592
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f66c737-7ac1-4042-8259-06dc0dfaef87.vbs"12⤵PID:4024
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64283188-3e8a-40c6-9c8b-dfaec055b63c.vbs"10⤵PID:2404
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46b81ee4-ce7a-4268-b9fb-c24170c5470e.vbs"8⤵PID:2604
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a82fad1-cf95-4ebe-bcf2-8bd9646978ae.vbs"6⤵PID:4060
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96ebdf18-7a40-4551-bd06-79e02fb563a2.vbs"4⤵PID:3672
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f88c9d-c326-46c4-bfa1-569e5bb5fd57.vbs"2⤵PID:2008
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"1⤵PID:1220
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe1⤵
- Modifies registry class
PID:2664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a83f19f-7904-4b6b-a9e0-e7b41cc2e553.vbs"2⤵PID:5688
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe3⤵PID:6116
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdfa568e-9529-4d0a-b4a8-a30ae6e6a53e.vbs"4⤵PID:1188
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe5⤵
- Checks computer location settings
PID:4324 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de72f4f-9a38-4403-9af1-106f41bdc482.vbs"6⤵PID:2056
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe7⤵
- Checks computer location settings
- Modifies registry class
PID:5772 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5985216-b963-4558-89da-ac2e32af932d.vbs"8⤵PID:1820
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe9⤵
- Checks computer location settings
- Modifies registry class
PID:4316 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9f75d47-c4cf-4817-b665-4f1b35b2ac57.vbs"10⤵PID:1608
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe11⤵
- Modifies registry class
PID:5824 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbbc7328-63fb-4e35-8d1c-17c6d41d32b9.vbs"12⤵PID:5180
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe13⤵
- Modifies registry class
PID:3976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ba7504-2e40-455a-9ea2-bac55c5699d4.vbs"14⤵PID:3600
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe15⤵PID:1384
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e27448-fab9-4cf2-b28b-36f83e73eb17.vbs"14⤵PID:2760
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4af5e320-11c3-4323-bce7-0836e3fc0a44.vbs"12⤵PID:6076
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1860f98c-f558-427b-a205-ed5b77d211af.vbs"10⤵PID:2168
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c997b7-bcbb-42cb-b3af-f155fc814135.vbs"8⤵PID:1572
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22892db-2e67-44ee-882c-b31a806f2ded.vbs"6⤵PID:2612
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc4791f-c505-4173-a640-3b961266c22d.vbs"4⤵PID:5320
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\553ac95d-58ba-4d61-a962-306216ee0654.vbs"2⤵PID:4340
-
-
C:\Program Files\Windows Defender\sysmon.exe"C:\Program Files\Windows Defender\sysmon.exe"1⤵PID:1576
-
C:\Windows\GameBarPresenceWriter\taskhostw.exeC:\Windows\GameBarPresenceWriter\taskhostw.exe1⤵PID:4000
-
C:\Program Files\Common Files\dllhost.exe"C:\Program Files\Common Files\dllhost.exe"1⤵PID:5140
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"1⤵PID:3820
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"1⤵
- Checks computer location settings
PID:4712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7097c13-9327-4818-acbc-c260a2495fcb.vbs"2⤵PID:5104
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"3⤵PID:2620
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a13bffde-c40a-427f-b24f-19fce88d192b.vbs"4⤵PID:3116
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"5⤵
- Checks computer location settings
- Modifies registry class
PID:4896 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f758cf-002e-49c0-99fd-d48f9268758e.vbs"6⤵PID:4868
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"7⤵
- Checks computer location settings
- Modifies registry class
PID:1312 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\969b0534-8dd4-4944-bde0-60d1beb2b211.vbs"8⤵PID:4796
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"9⤵
- Checks computer location settings
- Modifies registry class
PID:4452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37f2e19c-6c36-468c-a8e5-37a97cefa17d.vbs"10⤵PID:3164
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"11⤵
- Checks computer location settings
- Modifies registry class
PID:4484 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb1b45e-c54c-427e-99b3-913d09863aa7.vbs"12⤵PID:5776
-
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"13⤵PID:1604
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107c0687-5b07-4ae4-ac49-4e137aec3b22.vbs"12⤵PID:4432
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4a3efd0-d867-4b87-975e-6f11fb8073cc.vbs"10⤵PID:5896
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e1e5eb-b1e3-4c9f-865f-8a5097fdfcae.vbs"8⤵PID:2220
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3653256-8fe4-4c0e-888b-0200b3932e43.vbs"6⤵PID:1044
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ac6e4aa-f6d3-424e-ace3-0591d02378fe.vbs"4⤵PID:4940
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\345527d2-b120-4058-a96f-86b51cde28d1.vbs"2⤵PID:5332
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe1⤵PID:5372
-
C:\Recovery\WindowsRE\sppsvc.exeC:\Recovery\WindowsRE\sppsvc.exe1⤵PID:1488
-
C:\Users\Default\SendTo\explorer.exeC:\Users\Default\SendTo\explorer.exe1⤵PID:6092
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe1⤵
- Checks computer location settings
PID:1000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d253f2b-412b-47e6-aabf-5c2bad859b5c.vbs"2⤵PID:4868
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe3⤵
- Checks computer location settings
- Modifies registry class
PID:4452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e64d417-094e-4bc8-9772-9c6ca85b759e.vbs"4⤵PID:5156
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe5⤵
- Checks computer location settings
- Modifies registry class
PID:6004 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b246990-46ed-4e7d-8c30-2c36b6132478.vbs"6⤵PID:1588
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe7⤵
- Checks computer location settings
PID:4320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6963d977-e1cb-4a0c-be51-e59f9d6e745b.vbs"8⤵PID:2792
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe9⤵
- Modifies registry class
PID:3436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e8d37b-df5c-4b1c-a41d-d4a6d92d1390.vbs"10⤵PID:4924
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a2bb604-f76e-4fd3-a650-01b6b09f93aa.vbs"10⤵PID:1184
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1048b06-29c7-4793-9cfb-24ff37932ae2.vbs"8⤵PID:2840
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be981f30-6e44-43a5-a317-7f308dc46f7c.vbs"6⤵PID:2136
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\230067e7-497b-4131-bae7-94a481cad7d2.vbs"4⤵PID:5816
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fa82deb-557e-4843-9551-e5aaad4bf4ab.vbs"2⤵PID:3288
-
-
C:\Recovery\WindowsRE\winlogon.exeC:\Recovery\WindowsRE\winlogon.exe1⤵PID:1712
-
C:\Program Files\Java\componentdriver.exe"C:\Program Files\Java\componentdriver.exe"1⤵PID:5420
-
C:\Program Files\Reference Assemblies\conhost.exe"C:\Program Files\Reference Assemblies\conhost.exe"1⤵PID:940
-
C:\Program Files\Common Files\dllhost.exe"C:\Program Files\Common Files\dllhost.exe"1⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
484B
MD5fdfb4af7567e5cc5ae43b2a2db2234d8
SHA1d833fbd2395d88a3fce70394f0eb7e0dcdee9da6
SHA256c36cf10ba5015bdac9abf94fb95dd168c9ab6bf568adb8ecf7cf8f8bbdd612bc
SHA51211c10a0d96e68f1ac0ef9633662218d471c4d06a05b78034dfc56bbfd75281b7de8cfced539200f1805fce2271c272fad581371bc5a7dd1c992633fd9f95a60d
-
Filesize
722B
MD52a4ec3341e239a8f35d51a9be649f27c
SHA1d83b95063167d5b4464c9b4b88b69d15673bc3de
SHA2565164e184df8ffec80f0c4936502dab95d840b56e22d94408180463e235323f46
SHA5121b0b77e23ea97090bc1dc93e79c77673f7dd6fbaeb50e23ef411a47d175807d3de9e8aa47567159b1955597303957c3210d4a8a525838a0e5ea50dcd9d2389d0
-
Filesize
722B
MD5e83d9d9d2e3b3ebb6a87b1cb41c4f44b
SHA13cd4ce19b8156e187defb3d6748ab42266956441
SHA256dd714e4e81f21fb289d2b7d3e02db9ab4fa518276b5d76ed6e137f12c8027565
SHA512ddaa6670eeced555e6123c424bac67145df436c55970c917e8ac5a289428479e45a0e50d2665b70a2babe318784c9b8ba5b363c4a264c2668d1df15decea0f73
-
Filesize
722B
MD5a994b2929b6d5778a012a266213b807a
SHA10d5d58b484d1e4ba8bda98822098fb0598be92ad
SHA256f696ed2a23f293932d54c6d5de79bdf9b52b2172b6dc2ccf90bb2ae1ad7f63f3
SHA512881633e57ab599a2e3a5ab0524d2d267d93bd05c12f92be9960c8e601c854f477769faadd5b977e63f97f446effe70b4fbfe9cd409575ee695496beb3e2ed7b3
-
Filesize
507B
MD5ef443ed7fe177bf41c988631e91ffffe
SHA10ca5d917fa585e1d139c88539966ea9c3b455e70
SHA256a25a9d708855c04d434bfe93ced676de5ee6f8f0ca88de7437dbeb3f504b7653
SHA512a165b09804dcd3ef4913b623439d870e78275b4ecc745b3ff9b54b66cbade26a36fc0adddffd42e6ce8404ff40d413d1cac479523036d6b0603041a9173b8221
-
Filesize
722B
MD525b32d61f1a001e285891cb7a2ce175d
SHA12a0903a3a3ee3989fbe0a273f7e3595035f11bea
SHA2569396946c8da32e22ec8578b91ef2690ea9e55268c515589320d4f9373366a3a9
SHA512d88c25a44bbe320511827731b74cc3681138d1235aceb5cc52cd2f48bf11e90ac2c24726e6ccfd3f677b365657a251e516f7eef6f2d5f583d80c6c3a1dd6bb3f
-
Filesize
722B
MD5590422bf9bb18fe1a3be3c084b824b63
SHA1e33f04fbe420bfa27cf54baeb70baacb37ad2251
SHA25626603fc4664ceb7a7265fe6efa7abb436ba71a4b727b6b06ab90d38cddb55d5f
SHA5127ba0cab7623e66e25c054faa9d3ea9e45620fed825ba29b114a56324517a6e6c3d08e02b7ffdd637e7d2095e15b268db1a326084a54bcebd2e8a7f79c9dee96b
-
Filesize
515B
MD525a883d05508102693cbb36ab7dc98cc
SHA156835b778452e5966274909fd12ee397cd3ea0bf
SHA25606b3a95274416ed82c77b1a2603d6090760a9460ff465157e0ceb48066552cdb
SHA512cea582d43fc277ba49ddefdf1b226677f1adecd43bdb46cedc88bd09712c0451940a0fac83babd48bd9ff594551e0e828b756bc55e9f434372de601230b99d33
-
Filesize
498B
MD5601944d41fca7b598733cf8c16915c12
SHA12b821f5a7d53d3f243f223cc21a6670c956bc163
SHA256880fdf72a574f58a843e6b846d2c3795161322059fa03e6670adc38225b2fbce
SHA5126105b8987d9d191232539f16979296d1a6e2f9266f4ef531ab9d920818d3362164c0f54ed0b56ac1c7612af58a7063ae569a592cf45d97c1c4fedba616375de6
-
Filesize
484B
MD5f411aa4d985ff8e1dd35c57f5f8e8ff3
SHA14531e4accab8ed87c87b9c411c05732c2a026c5e
SHA256995060f2dfd4dd19b6d0ff2ddcada15ce6c025f94e76af6da4e62b697f8ef418
SHA51219efda180b267e995bcd8ff01d0a7433cc65ef9493a823c5d3e9d32253e3dae7a1c29ed79523e374354afd2df9350cb5fd6f0805d9ce00287628f07a3e1b8e48
-
Filesize
722B
MD5896023ccc23e2ec73be835ca4a7d930f
SHA1abe27cb7a0c9c890c99101bd1e000f24cea8cd92
SHA256a8e00a04eaca2e65c7ce430882833a185878adf91ef5496be61fa0ab0c4367e1
SHA51266dfa2772433523efd7d3c71a586645d488102530c55d32b88cd1b6ff8b6a51acba2635bc55eedcbf28a16963223d6f6e39de4f6f64359e9fe5754e56ad143e6
-
Filesize
722B
MD5402d576ce0dd0fcbeebe1d239c9f5529
SHA1340255b90bff61057d663b529f65f8ddcf67a552
SHA256fc3611150d44f70b78c9b2a430340a29661eca7ad8065cf0655ebd77a590ac7d
SHA51284727adcf84b059c9430f3108fc144f02006d1c2d36850c5239248bd42faf3aed1bb460363f0d7334753cf691af3d342867783028373608c10320eef02557322
-
Filesize
486B
MD57300b7ca5b03885eb67ee5664a6d478a
SHA1825eb2504950987d84ce8503cdabd785561bcb1b
SHA2560560946729e96c5c1dbe0fe95d19ef82e74ee8cd2f79a09d89351d26129e7d2a
SHA512d3c16a4905f75e122c98e7183b5be0ddec030f868b9dddcf4d5be2748cd023bef9c0f2dc9cfa0e7740435ba160d538182ac51379881c46818d06abda74ef6963
-
Filesize
211B
MD5ab00ddf9582b2898e4b3bf174c2d3418
SHA1d9fcf7c33cab87d488967e6da5f1e9f8c1596d54
SHA256b6977a1f3dd879d5592a4dead0a8b90fcb1e673efdc15be239370fc24a4b6ec9
SHA512903fe2cc0390332a1a5f8d4a95e21c031bbdc4c32bf706566bb36540ec857a072d508860e22e887b7961bbdc85ad4b1b21f2b5aea4b3578d020c055c627de057
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
722B
MD571a58df0c1de620deed0244da46bb688
SHA1af97ae470713167f52d530e3adb63529eecb5f43
SHA256f0dad5cbeb763eabb08f10ee72cfe6603a0f99d905d9f0430e5454556d58827e
SHA512a2b76e15b439f81ea726a3dc321d18f734ec096bb199f444c996c4b5bcbc816f566d79ee0037b98cc8c87dc54e44212e831284e7a9362ca7b00a06e1d5950ccb
-
Filesize
722B
MD53ecbb152feecaee0659b40005667198d
SHA118ad8122757f8f883e3b58a85642666caf02912f
SHA256ef5d2b57569b9cb11d7ae9050a978ff820fd5c5e94e00aa6009adff02476e20c
SHA5125e94a14622ad899e2d9ac93bf2283ca9e28707641af9b8344056d254a235751776e8e6208c74738a520cec051fa8fe7a92f12e0841b776625e70b7c997675efe
-
Filesize
722B
MD590972558455aa041dfe87db0bf931d20
SHA13d0a79b9fc47c0fc0eb6f0fc808759c06b5e8d5d
SHA256ecf128a3864554fd54ea5ade63b5db7a24edfbb1e8c938ceb156c182287c7003
SHA5120b4d177bb403cc2c807575e427fb1679fe7b09dcd9bcf45062be0dedd783c23378a998a1bc64750e2f7cb573f44bf5d38b4aaf009503c86639de42f682e8612f
-
Filesize
722B
MD56784a079568fe34d6361eec1e2e4870b
SHA19820c0c0784a755bfb0079df4999429e76db41c3
SHA256293a1c05a3402ad31d39e1e6d02241a48ab1fba8071e1f9feb86f419bf902334
SHA512300c3433f04249dfcaeb4fa2b6c55524eb2b0862a5d1d4d511b99b6b06e14d9bbdf9a5de05c763a9317b9863dc229914ec955c4355f16ab73073dbb0a68d95e8
-
Filesize
722B
MD58ecbcc5269591a13a13ceb4fbc69bb45
SHA17784ce3ce785a2f388a8effb2c20219da44c5d6e
SHA256b3ea8b774b41c5f3f1ca1d323a74734b20955df48d2f3b4aeb70c9f438bdfa1d
SHA51201efb12cfc8b7da52134ab5e8921f9c23ab19778e41865641fd7b70ff7d6f47056d972c2bc28357899432e506119ab532d6bde3fb7bcc9d341d0964dd1e759e0
-
Filesize
493B
MD5994a63b689bafbbc616130077ded7447
SHA1adf8dd77063ebb6b0e0fbd0bfbfeb2f6a6363d1f
SHA2568cd070da8f738789d1422996bb63edbfd54ff29d2f61095df499c5c1f97b0b5d
SHA512b9a747180305f73064c10a01e66f788a9423163b1a6486907502f872169166ddbf1376890013eba6794f53041c98937770c629a1b21c566f683b2e55ad0f1cd6
-
Filesize
48B
MD58f2fe00117d8cf1e8f32eb7bf7c5ab82
SHA1952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9
SHA25602e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba
SHA5126fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077
-
Filesize
1.0MB
MD550c3534dacb3359079f8fca6b702e98e
SHA185cd176c6f7c97017547aaf9b1133ca3d1fb1885
SHA256867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de
SHA512a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750
-
Filesize
222B
MD54dad95df8fa0e085b45537e5be8778f6
SHA1044c0c326db9f180d8c79f7fd7719fac3abc69d3
SHA256b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b
SHA5124a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376