Analysis Overview
SHA256
528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78
Threat Level: Known bad
The file RustUpdater.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
Dcrat family
DCRat payload
DCRat payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-22 14:53
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-22 14:53
Reported
2024-07-22 15:24
Platform
win10v2004-20240709-en
Max time kernel
1800s
Max time network
1794s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files\Java\componentdriver.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files\Java\componentdriver.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files\Java\componentdriver.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Defender\sysmon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files\Java\componentdriver.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\taskschd.msc | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reference Assemblies\conhost.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\088424020bedd6 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\Common Files\dllhost.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\Windows Defender\sysmon.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\ja-JP\6203df4a6bafc7 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\Common Files\5940a34987c991 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\e1ef82546f0b02 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\Java\componentdriver.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\088424020bedd6 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\Java\971d37d99120a6 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\Windows Defender\121e5b5079f7c0 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\intf\088424020bedd6 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Branding\Basebrd\componentdriver.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Windows\Branding\Basebrd\971d37d99120a6 | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\taskhostw.exe | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\ea9f0e6c9e2dcd | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files\Java\componentdriver.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files\Java\componentdriver.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\GameBarPresenceWriter\taskhostw.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Program Files\Java\componentdriver.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Recovery\WindowsRE\System.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "
C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
"C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\componentdriver.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\componentdriver.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\intf\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\componentdriver.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Program Files\Java\componentdriver.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\componentdriver.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IfCzEvpyfZ.bat"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\GameBarPresenceWriter\taskhostw.exe
"C:\Windows\GameBarPresenceWriter\taskhostw.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63fa41b7-b7db-4419-b880-a1de4eedd381.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f747303-1b14-4e1f-ae8c-220b6f67c694.vbs"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\324aaa64-253b-4630-9deb-2e323756ed95.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e1e2ed-bcc0-4c33-8ccf-5cacd4e9e916.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3e49963-ac36-4372-8511-21ea35aac71d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10c63abe-eeed-48e1-8824-0096ee44dd9d.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbcac25-ead4-4a29-bb13-c7d170f6a895.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85ea9783-fd6d-4bc1-bd8a-92eb8dd0de28.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e33aa5-0343-406a-aadf-0b8bfc3da359.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05ffdb5e-c30b-47b7-82ef-c53d2029d778.vbs"
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604187ae-7d1b-40fb-9c4b-fd1886608995.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a324054-0f18-4199-b730-9e7c729199d2.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a24851b3-e699-40de-9ede-9d74651990d8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7c333ea-d56d-487d-9024-cffd4f2c3e04.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\196e3c15-698c-47ee-b468-4799fc211ef2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a68f37e-82a4-4ebd-ba6e-5da388a86c4a.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfeeed01-b196-49e8-b25a-0ecb6b83721c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9fa7cc0-f8b8-4f7a-8823-1aa21af9d752.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb639fa4-316a-48c8-afb8-7e6e2ff989e4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bccbb18-0ced-470f-b752-0b885a3a74b8.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8677fb49-b85f-4704-a023-06cd34cf5271.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abe79d75-2ced-4a50-b2d4-f3999691fd46.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c01f9304-5872-4583-96a7-3436bbfc00ce.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854ecc17-2d45-49d1-b8bd-be9d607135c4.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ccb56d3-f1c9-4f1e-b471-c8b75eb92b4a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b327bec-a45c-456f-b21a-b5efb7666ab0.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff7ed01b-cf15-4f16-86d0-d3acd00b8bd1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa07c047-e0ea-4835-a6f2-e8fbaf7eb160.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ef3bc5-a3e2-4735-a52b-dd5bcb432125.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d7e304-6b7f-4ace-a12e-fc8d3fbb15ae.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a04c057-77ad-4fa2-a005-64403bd33aeb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a659914-903e-4d56-9e6b-7f8fd331ae3b.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc1301de-41ee-4487-bbd6-fc75b1da41b2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e32a1dfe-246a-4786-8770-2f4086624e9f.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc1759f4-e15b-466b-b4d2-8290fd85050d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a61da8b2-d98b-49ec-9976-f904c74685c9.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b20ff5-59bb-4671-9166-d8d1fdf00445.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de0777e8-de5c-4a5a-820c-f77d450f8bef.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6b1d09-9e19-48de-a58e-74a831c3d24e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcb300af-2837-401d-a805-fab0b78f7289.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9a29ea-04c6-43f7-b888-9c7d68741576.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fa57da-7a59-4729-8f33-40e629e84dae.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6311f32f-100c-4875-9cd7-cf5576beb386.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500724ef-de1d-46c4-8d9f-03d1869ea2fe.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfc780bc-897c-40c2-99ac-6ff950e2a078.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb961314-80d8-47c2-9509-421007a1f846.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3efe1b-4c8f-452b-b7e1-4183dec794e9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3414ffe4-34a6-45d8-a8a5-f2a37710edd4.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b708f3-5618-401b-85be-8b6d6a8052db.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a7f23ed-1361-49fd-9905-ff4ac6a6f143.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdb13599-1004-423a-879a-66bf67b667b9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ded84253-66da-469e-9313-35238548c9c7.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a30f28-6c91-45d8-bc37-0b90028bd6a9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38fc232c-3fe2-4eab-8780-aaa8945a8b86.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd0bb3d5-489e-4fa1-a824-b5a7e3295305.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf4fafbf-2aca-42f7-8992-f30a8037132e.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba3b494-2274-436e-87be-47117ac45881.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48a9fc52-54e0-4c6c-b1e9-585a2dc77827.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec318e83-c5d3-4956-8632-b3cf1cc85f21.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69a57f4d-f609-4d6f-8884-dc838807b654.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ce240b-8bdf-4f2e-bc06-9c5288043dcb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b76348a4-968a-47a2-ad8b-f380b5f3dabd.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa67193c-5380-4caa-8037-c2eac81d3260.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c20f23da-de55-4259-8001-74c7fd445e6b.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e1785a-63d3-431e-8611-0b46e742ac35.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8585bd84-09d3-470e-b86f-6c454ccc99ac.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab326257-dc63-4469-8c88-771f48d3e310.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2896a0-6369-449f-9a6b-5b6b95a3ecee.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba6ef34-916b-4350-ab21-b547f20389e2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d5c4f6-d9ea-46a2-97a5-788edf21ed15.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e06bd8-e1a7-41d5-bec6-2e91c1d0fb94.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8baf57e1-1dd4-4807-af10-ec521c1cc55d.vbs"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4f0160-dbeb-452d-ba2d-4178d9abbfd3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\445dc2b1-6e21-421f-8b89-0ff0371cd3f2.vbs"
C:\Program Files\Common Files\dllhost.exe
"C:\Program Files\Common Files\dllhost.exe"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a40a23d-4a35-4eed-b765-b5a9df340ad4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc04cf55-f50e-456b-93d6-b2ffc3ddf5fa.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4214bda3-7374-4bb4-8f85-3473086143ce.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\831d5a6e-07f7-419a-a50e-5ba25bbc58f7.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24322670-510f-42c4-8bb5-5eab3ba4896a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec83fb6-2be9-433a-8ec2-22fb5519cdd3.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd24ec9-f62c-4ee3-b7d7-c1c13e3b5f53.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d8154e-9d83-4d98-a815-f5d2ea6c094c.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92111412-6503-4c0d-9906-3987339a01e9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c49a69dd-8c67-4aa0-a43c-7adc0b8557c7.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\368cfc48-2828-416d-a824-e2476bf5cc46.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f335e810-bc1a-42be-85b0-420e92e939d1.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ff94055-eee1-446f-89f7-372268f55323.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17ef77d1-d846-4ecb-99f4-f62b7db131d0.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac31ea45-b09c-4534-a9d0-e0e40fe5392a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17eaac80-777a-4c2b-bb81-033d7b177ede.vbs"
C:\Program Files\Windows Defender\sysmon.exe
"C:\Program Files\Windows Defender\sysmon.exe"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51a989f1-e308-4dff-906d-edfa919e153e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2e597f-0e9b-4cc1-b46c-9af09d6b1502.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Program Files\Windows Defender\sysmon.exe
"C:\Program Files\Windows Defender\sysmon.exe"
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\057702a4-d498-4dc1-95b7-7662b4bf6c82.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b6f7b0-6e32-420c-a400-49aff09bc138.vbs"
C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e62c8938-9ad7-4046-9a79-c8607b4b8d16.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79bbd1c5-aee0-4286-9941-007d513491b7.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Program Files\Reference Assemblies\conhost.exe
"C:\Program Files\Reference Assemblies\conhost.exe"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1318c91-85a0-4351-aa55-08119230c92c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34dcf5c6-0c7c-4b63-9662-0ce2f1c1fcc7.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8117e60d-7c23-45b2-a588-8fd87c322360.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65509e5b-b959-4e1c-84fb-6a99e645d62d.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c745f54-859c-48fc-a393-4a825fccbe01.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe128562-0449-4916-84f1-6f516fa78541.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6cdf19a-1894-4ad2-82ae-c81c6e64163f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cafd109f-ba76-4aa9-9770-b582e3b38de3.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e329c00-a646-4650-aa5c-b28a2894f1ca.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db558666-b7b3-4609-9ab2-a3d5db62bf80.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c519d48f-cd12-42b1-88f6-631a5cf15220.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1865d728-2549-454f-b24f-5710438ad28c.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c10c2a9-7d63-4565-9894-73eba881c206.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ed34b8-5ffa-4b21-bc06-55a4b9405630.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\142f0424-15c6-478c-924d-4e6b0c363903.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a742602f-739b-4808-9d05-13e34cad85cf.vbs"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Program Files\Common Files\dllhost.exe
"C:\Program Files\Common Files\dllhost.exe"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\692a3380-5008-43af-b890-d3ff100efb74.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58b2e67a-d6ff-4fe5-bbb8-ed55380cb4f8.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a0ea935-263e-4401-8836-8d85086a1a7e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1eaba45-2e26-41e6-ad93-1d5091d648cd.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42f1cb09-2267-448a-8010-4809502046fe.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d8f238-3f0b-4d91-8b38-cc3e287b3c76.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc37a1fe-754b-44eb-9b30-fc5075318517.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dac9b1e-42c1-43f6-be1c-be4b9db9997c.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef2bb337-4d40-4b77-885c-70e367ad19eb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9f38a0-bdc0-4468-8c41-5704e7776c51.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ba4984-fef8-4050-bb13-e7e39299f754.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449afa59-4634-4de1-992c-784f32edc3dd.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abd383e9-f9ea-42f9-ba17-09ce39389c7a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df8ec280-3f68-4e8a-a9e9-867b4ddcabb9.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8be40d4-a2f7-4900-a56e-b5b5d663c002.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dc53452-72e5-44b7-bc9e-c3051c499dcd.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f37bac8d-4e2b-425e-b729-cf2dc983c6aa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30368f87-5b58-4f77-bff4-6993485d297b.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79165b12-2ec4-45c5-ba30-f93d68f80769.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcba4439-57ce-40d6-9284-174a63dc5c4e.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d7366f7-6295-46b8-883a-cfee7377a0cc.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2011474-fdec-492a-8fce-bbdc528d84fd.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5f796f-d784-4100-9275-afd83c73a291.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85188f1d-700d-4016-b9c9-72bd309bd7e5.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e6fe78b-8b5e-4ee8-89a2-c0c9b4a508a0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36a6e360-3ed1-48a0-8d7f-446dabc895e5.vbs"
C:\Users\Default\SendTo\explorer.exe
C:\Users\Default\SendTo\explorer.exe
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05babe49-1481-44c4-9537-c92b000e38e8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4094642-9330-4644-8629-9aca3bea93a5.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b272904e-9bf5-401d-8d1b-087f66f2cfc7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4291c968-6381-4e9a-b5a3-81ff7614d460.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c70ec69-c6c6-45fd-8599-69b1eab1a84b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\543671aa-e94e-4ca0-89ae-d215834ff9f0.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\537c8b00-295b-417f-88bb-91d257e6fbc7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5f24c5c-7dea-478b-b2cf-ca800eecbe83.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ab00e74-10fe-46f4-927c-a05e5e55b19a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b5bd040-4862-4bf2-bffa-4099b2771c24.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6ba33ca-04bc-48ea-bac5-ca1cd74a2b31.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec097f6-e1ea-43e0-94dc-bbc2d6116b0e.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdd2479-6a8e-450d-ac57-c0186299d054.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e86785e0-ec96-4f48-9767-64439efbccc0.vbs"
C:\Program Files\Windows Defender\sysmon.exe
"C:\Program Files\Windows Defender\sysmon.exe"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a78d28-f1aa-462e-a330-b424f31259eb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d880d83-f273-4881-80e2-c7d806362fea.vbs"
C:\Program Files\Common Files\dllhost.exe
"C:\Program Files\Common Files\dllhost.exe"
C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Program Files\Reference Assemblies\conhost.exe
"C:\Program Files\Reference Assemblies\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cb280db-4467-43c6-ba37-5e2d8247c332.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623f17cc-9c17-46e9-99b3-d59a017a936e.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f9600c-5da5-4c05-8692-4e710697144d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8b8d2f-b948-45e1-ba86-92f8fa81ce8e.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08777abf-3d13-4606-8c90-2046dce7d6be.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee550d42-49ea-4051-8547-2c4ba429ce65.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cfa47e7-b41a-472f-87b5-f7b3e49dfe6e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7063ae3a-3916-432b-842f-63fb708355c5.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dda02311-a2c3-4fdc-9f91-15a31d3d721f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c0c8d48-8acd-4808-9eca-7dcad4b4fc9a.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60cd3c1f-244e-4208-8f75-83dbb7ee39f3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a339faa-6ac3-4677-946f-625d26087bd9.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313e1a65-9f27-4447-81e2-807867ec150a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4157040-0083-4f45-9bad-46dd10c02056.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef4406e-66fc-4207-b51f-11254a96599a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f88c9d-c326-46c4-bfa1-569e5bb5fd57.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ef4670-6741-48f6-851c-f569e33d7452.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96ebdf18-7a40-4551-bd06-79e02fb563a2.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06815d88-7902-4e12-8bc6-620812bdb8e0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a82fad1-cf95-4ebe-bcf2-8bd9646978ae.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ea5e85c-3c16-475b-8bc3-dfd3bb31050b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46b81ee4-ce7a-4268-b9fb-c24170c5470e.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4795f0b5-2db3-4c41-949a-fbcc9cdcbac2.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64283188-3e8a-40c6-9c8b-dfaec055b63c.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa30675c-44a2-4536-a1ca-4eacd556a4be.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f66c737-7ac1-4042-8259-06dc0dfaef87.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf0f330-18ac-4299-8c8f-56e7add54f30.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8a4e2de-c848-4dc2-b3b2-14f88c105962.vbs"
C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\SppExtComObj.exe"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Program Files\Windows Defender\sysmon.exe
"C:\Program Files\Windows Defender\sysmon.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a83f19f-7904-4b6b-a9e0-e7b41cc2e553.vbs"
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\GameBarPresenceWriter\taskhostw.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\553ac95d-58ba-4d61-a962-306216ee0654.vbs"
C:\Program Files\Common Files\dllhost.exe
"C:\Program Files\Common Files\dllhost.exe"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdfa568e-9529-4d0a-b4a8-a30ae6e6a53e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc4791f-c505-4173-a640-3b961266c22d.vbs"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de72f4f-9a38-4403-9af1-106f41bdc482.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22892db-2e67-44ee-882c-b31a806f2ded.vbs"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5985216-b963-4558-89da-ac2e32af932d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c997b7-bcbb-42cb-b3af-f155fc814135.vbs"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9f75d47-c4cf-4817-b665-4f1b35b2ac57.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1860f98c-f558-427b-a205-ed5b77d211af.vbs"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbbc7328-63fb-4e35-8d1c-17c6d41d32b9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4af5e320-11c3-4323-bce7-0836e3fc0a44.vbs"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ba7504-2e40-455a-9ea2-bac55c5699d4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e27448-fab9-4cf2-b28b-36f83e73eb17.vbs"
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7097c13-9327-4818-acbc-c260a2495fcb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\345527d2-b120-4058-a96f-86b51cde28d1.vbs"
C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Recovery\WindowsRE\RuntimeBroker.exe
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a13bffde-c40a-427f-b24f-19fce88d192b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ac6e4aa-f6d3-424e-ace3-0591d02378fe.vbs"
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f758cf-002e-49c0-99fd-d48f9268758e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3653256-8fe4-4c0e-888b-0200b3932e43.vbs"
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\969b0534-8dd4-4944-bde0-60d1beb2b211.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e1e5eb-b1e3-4c9f-865f-8a5097fdfcae.vbs"
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37f2e19c-6c36-468c-a8e5-37a97cefa17d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4a3efd0-d867-4b87-975e-6f11fb8073cc.vbs"
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb1b45e-c54c-427e-99b3-913d09863aa7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107c0687-5b07-4ae4-ac49-4e137aec3b22.vbs"
C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
C:\Users\Default\SendTo\explorer.exe
C:\Users\Default\SendTo\explorer.exe
C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\lsass.exe"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Recovery\WindowsRE\winlogon.exe
C:\Program Files\Java\componentdriver.exe
"C:\Program Files\Java\componentdriver.exe"
C:\Program Files\Reference Assemblies\conhost.exe
"C:\Program Files\Reference Assemblies\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d253f2b-412b-47e6-aabf-5c2bad859b5c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fa82deb-557e-4843-9551-e5aaad4bf4ab.vbs"
C:\Program Files\Common Files\dllhost.exe
"C:\Program Files\Common Files\dllhost.exe"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e64d417-094e-4bc8-9772-9c6ca85b759e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\230067e7-497b-4131-bae7-94a481cad7d2.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b246990-46ed-4e7d-8c30-2c36b6132478.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be981f30-6e44-43a5-a317-7f308dc46f7c.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6963d977-e1cb-4a0c-be51-e59f9d6e745b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1048b06-29c7-4793-9cfb-24ff37932ae2.vbs"
C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e8d37b-df5c-4b1c-a41d-d4a6d92d1390.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a2bb604-f76e-4fd3-a650-01b6b09f93aa.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.140.123.92.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | niganaga.tw1.ru | udp |
Files
memory/2876-0-0x0000000000290000-0x0000000000676000-memory.dmp
memory/2876-9-0x0000000000290000-0x0000000000676000-memory.dmp
C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe
| MD5 | 4dad95df8fa0e085b45537e5be8778f6 |
| SHA1 | 044c0c326db9f180d8c79f7fd7719fac3abc69d3 |
| SHA256 | b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b |
| SHA512 | 4a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376 |
C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat
| MD5 | 8f2fe00117d8cf1e8f32eb7bf7c5ab82 |
| SHA1 | 952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9 |
| SHA256 | 02e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba |
| SHA512 | 6fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077 |
C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
| MD5 | 50c3534dacb3359079f8fca6b702e98e |
| SHA1 | 85cd176c6f7c97017547aaf9b1133ca3d1fb1885 |
| SHA256 | 867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de |
| SHA512 | a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750 |
memory/4720-15-0x00007FFD71503000-0x00007FFD71505000-memory.dmp
memory/4720-16-0x0000000000420000-0x000000000052A000-memory.dmp
memory/4720-17-0x0000000002650000-0x0000000002658000-memory.dmp
memory/4720-18-0x0000000002660000-0x000000000266C000-memory.dmp
memory/4720-19-0x0000000002670000-0x000000000267C000-memory.dmp
memory/4720-21-0x0000000002690000-0x0000000002698000-memory.dmp
memory/4720-22-0x00000000026A0000-0x00000000026AC000-memory.dmp
memory/4720-20-0x0000000002680000-0x000000000268A000-memory.dmp
memory/4440-71-0x00000232C77C0000-0x00000232C77E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyswhfqu.g5a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\IfCzEvpyfZ.bat
| MD5 | ab00ddf9582b2898e4b3bf174c2d3418 |
| SHA1 | d9fcf7c33cab87d488967e6da5f1e9f8c1596d54 |
| SHA256 | b6977a1f3dd879d5592a4dead0a8b90fcb1e673efdc15be239370fc24a4b6ec9 |
| SHA512 | 903fe2cc0390332a1a5f8d4a95e21c031bbdc4c32bf706566bb36540ec857a072d508860e22e887b7961bbdc85ad4b1b21f2b5aea4b3578d020c055c627de057 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c47b3f4e68eebd47e9332eebfd2dd4e |
| SHA1 | 67f0b143336d7db7b281ed3de5e877fa87261834 |
| SHA256 | 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c |
| SHA512 | 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca |
memory/3884-188-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-187-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-186-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-194-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-198-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-195-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-197-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-196-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-192-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
memory/3884-193-0x0000021A9D190000-0x0000021A9D191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\63fa41b7-b7db-4419-b880-a1de4eedd381.vbs
| MD5 | 590422bf9bb18fe1a3be3c084b824b63 |
| SHA1 | e33f04fbe420bfa27cf54baeb70baacb37ad2251 |
| SHA256 | 26603fc4664ceb7a7265fe6efa7abb436ba71a4b727b6b06ab90d38cddb55d5f |
| SHA512 | 7ba0cab7623e66e25c054faa9d3ea9e45620fed825ba29b114a56324517a6e6c3d08e02b7ffdd637e7d2095e15b268db1a326084a54bcebd2e8a7f79c9dee96b |
C:\Users\Admin\AppData\Local\Temp\6f747303-1b14-4e1f-ae8c-220b6f67c694.vbs
| MD5 | 601944d41fca7b598733cf8c16915c12 |
| SHA1 | 2b821f5a7d53d3f243f223cc21a6670c956bc163 |
| SHA256 | 880fdf72a574f58a843e6b846d2c3795161322059fa03e6670adc38225b2fbce |
| SHA512 | 6105b8987d9d191232539f16979296d1a6e2f9266f4ef531ab9d920818d3362164c0f54ed0b56ac1c7612af58a7063ae569a592cf45d97c1c4fedba616375de6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\324aaa64-253b-4630-9deb-2e323756ed95.vbs
| MD5 | a994b2929b6d5778a012a266213b807a |
| SHA1 | 0d5d58b484d1e4ba8bda98822098fb0598be92ad |
| SHA256 | f696ed2a23f293932d54c6d5de79bdf9b52b2172b6dc2ccf90bb2ae1ad7f63f3 |
| SHA512 | 881633e57ab599a2e3a5ab0524d2d267d93bd05c12f92be9960c8e601c854f477769faadd5b977e63f97f446effe70b4fbfe9cd409575ee695496beb3e2ed7b3 |
C:\Users\Admin\AppData\Local\Temp\a3e49963-ac36-4372-8511-21ea35aac71d.vbs
| MD5 | 3ecbb152feecaee0659b40005667198d |
| SHA1 | 18ad8122757f8f883e3b58a85642666caf02912f |
| SHA256 | ef5d2b57569b9cb11d7ae9050a978ff820fd5c5e94e00aa6009adff02476e20c |
| SHA512 | 5e94a14622ad899e2d9ac93bf2283ca9e28707641af9b8344056d254a235751776e8e6208c74738a520cec051fa8fe7a92f12e0841b776625e70b7c997675efe |
C:\Users\Admin\AppData\Local\Temp\1fbcac25-ead4-4a29-bb13-c7d170f6a895.vbs
| MD5 | e83d9d9d2e3b3ebb6a87b1cb41c4f44b |
| SHA1 | 3cd4ce19b8156e187defb3d6748ab42266956441 |
| SHA256 | dd714e4e81f21fb289d2b7d3e02db9ab4fa518276b5d76ed6e137f12c8027565 |
| SHA512 | ddaa6670eeced555e6123c424bac67145df436c55970c917e8ac5a289428479e45a0e50d2665b70a2babe318784c9b8ba5b363c4a264c2668d1df15decea0f73 |
C:\Users\Admin\AppData\Local\Temp\88e33aa5-0343-406a-aadf-0b8bfc3da359.vbs
| MD5 | 402d576ce0dd0fcbeebe1d239c9f5529 |
| SHA1 | 340255b90bff61057d663b529f65f8ddcf67a552 |
| SHA256 | fc3611150d44f70b78c9b2a430340a29661eca7ad8065cf0655ebd77a590ac7d |
| SHA512 | 84727adcf84b059c9430f3108fc144f02006d1c2d36850c5239248bd42faf3aed1bb460363f0d7334753cf691af3d342867783028373608c10320eef02557322 |
C:\Users\Admin\AppData\Local\Temp\604187ae-7d1b-40fb-9c4b-fd1886608995.vbs
| MD5 | 25b32d61f1a001e285891cb7a2ce175d |
| SHA1 | 2a0903a3a3ee3989fbe0a273f7e3595035f11bea |
| SHA256 | 9396946c8da32e22ec8578b91ef2690ea9e55268c515589320d4f9373366a3a9 |
| SHA512 | d88c25a44bbe320511827731b74cc3681138d1235aceb5cc52cd2f48bf11e90ac2c24726e6ccfd3f677b365657a251e516f7eef6f2d5f583d80c6c3a1dd6bb3f |
C:\Users\Admin\AppData\Local\Temp\a24851b3-e699-40de-9ede-9d74651990d8.vbs
| MD5 | 71a58df0c1de620deed0244da46bb688 |
| SHA1 | af97ae470713167f52d530e3adb63529eecb5f43 |
| SHA256 | f0dad5cbeb763eabb08f10ee72cfe6603a0f99d905d9f0430e5454556d58827e |
| SHA512 | a2b76e15b439f81ea726a3dc321d18f734ec096bb199f444c996c4b5bcbc816f566d79ee0037b98cc8c87dc54e44212e831284e7a9362ca7b00a06e1d5950ccb |
C:\Users\Admin\AppData\Local\Temp\196e3c15-698c-47ee-b468-4799fc211ef2.vbs
| MD5 | 2a4ec3341e239a8f35d51a9be649f27c |
| SHA1 | d83b95063167d5b4464c9b4b88b69d15673bc3de |
| SHA256 | 5164e184df8ffec80f0c4936502dab95d840b56e22d94408180463e235323f46 |
| SHA512 | 1b0b77e23ea97090bc1dc93e79c77673f7dd6fbaeb50e23ef411a47d175807d3de9e8aa47567159b1955597303957c3210d4a8a525838a0e5ea50dcd9d2389d0 |
C:\Users\Admin\AppData\Local\Temp\dfeeed01-b196-49e8-b25a-0ecb6b83721c.vbs
| MD5 | 8ecbcc5269591a13a13ceb4fbc69bb45 |
| SHA1 | 7784ce3ce785a2f388a8effb2c20219da44c5d6e |
| SHA256 | b3ea8b774b41c5f3f1ca1d323a74734b20955df48d2f3b4aeb70c9f438bdfa1d |
| SHA512 | 01efb12cfc8b7da52134ab5e8921f9c23ab19778e41865641fd7b70ff7d6f47056d972c2bc28357899432e506119ab532d6bde3fb7bcc9d341d0964dd1e759e0 |
C:\Users\Admin\AppData\Local\Temp\cb639fa4-316a-48c8-afb8-7e6e2ff989e4.vbs
| MD5 | 6784a079568fe34d6361eec1e2e4870b |
| SHA1 | 9820c0c0784a755bfb0079df4999429e76db41c3 |
| SHA256 | 293a1c05a3402ad31d39e1e6d02241a48ab1fba8071e1f9feb86f419bf902334 |
| SHA512 | 300c3433f04249dfcaeb4fa2b6c55524eb2b0862a5d1d4d511b99b6b06e14d9bbdf9a5de05c763a9317b9863dc229914ec955c4355f16ab73073dbb0a68d95e8 |
C:\Users\Admin\AppData\Local\Temp\8677fb49-b85f-4704-a023-06cd34cf5271.vbs
| MD5 | 896023ccc23e2ec73be835ca4a7d930f |
| SHA1 | abe27cb7a0c9c890c99101bd1e000f24cea8cd92 |
| SHA256 | a8e00a04eaca2e65c7ce430882833a185878adf91ef5496be61fa0ab0c4367e1 |
| SHA512 | 66dfa2772433523efd7d3c71a586645d488102530c55d32b88cd1b6ff8b6a51acba2635bc55eedcbf28a16963223d6f6e39de4f6f64359e9fe5754e56ad143e6 |
C:\Users\Admin\AppData\Local\Temp\c01f9304-5872-4583-96a7-3436bbfc00ce.vbs
| MD5 | 90972558455aa041dfe87db0bf931d20 |
| SHA1 | 3d0a79b9fc47c0fc0eb6f0fc808759c06b5e8d5d |
| SHA256 | ecf128a3864554fd54ea5ade63b5db7a24edfbb1e8c938ceb156c182287c7003 |
| SHA512 | 0b4d177bb403cc2c807575e427fb1679fe7b09dcd9bcf45062be0dedd783c23378a998a1bc64750e2f7cb573f44bf5d38b4aaf009503c86639de42f682e8612f |
C:\Users\Admin\AppData\Local\Temp\831d5a6e-07f7-419a-a50e-5ba25bbc58f7.vbs
| MD5 | f411aa4d985ff8e1dd35c57f5f8e8ff3 |
| SHA1 | 4531e4accab8ed87c87b9c411c05732c2a026c5e |
| SHA256 | 995060f2dfd4dd19b6d0ff2ddcada15ce6c025f94e76af6da4e62b697f8ef418 |
| SHA512 | 19efda180b267e995bcd8ff01d0a7433cc65ef9493a823c5d3e9d32253e3dae7a1c29ed79523e374354afd2df9350cb5fd6f0805d9ce00287628f07a3e1b8e48 |
C:\Users\Admin\AppData\Local\Temp\65509e5b-b959-4e1c-84fb-6a99e645d62d.vbs
| MD5 | 25a883d05508102693cbb36ab7dc98cc |
| SHA1 | 56835b778452e5966274909fd12ee397cd3ea0bf |
| SHA256 | 06b3a95274416ed82c77b1a2603d6090760a9460ff465157e0ceb48066552cdb |
| SHA512 | cea582d43fc277ba49ddefdf1b226677f1adecd43bdb46cedc88bd09712c0451940a0fac83babd48bd9ff594551e0e828b756bc55e9f434372de601230b99d33 |
C:\Users\Admin\AppData\Local\Temp\f4094642-9330-4644-8629-9aca3bea93a5.vbs
| MD5 | 994a63b689bafbbc616130077ded7447 |
| SHA1 | adf8dd77063ebb6b0e0fbd0bfbfeb2f6a6363d1f |
| SHA256 | 8cd070da8f738789d1422996bb63edbfd54ff29d2f61095df499c5c1f97b0b5d |
| SHA512 | b9a747180305f73064c10a01e66f788a9423163b1a6486907502f872169166ddbf1376890013eba6794f53041c98937770c629a1b21c566f683b2e55ad0f1cd6 |
C:\Users\Admin\AppData\Local\Temp\9d880d83-f273-4881-80e2-c7d806362fea.vbs
| MD5 | 7300b7ca5b03885eb67ee5664a6d478a |
| SHA1 | 825eb2504950987d84ce8503cdabd785561bcb1b |
| SHA256 | 0560946729e96c5c1dbe0fe95d19ef82e74ee8cd2f79a09d89351d26129e7d2a |
| SHA512 | d3c16a4905f75e122c98e7183b5be0ddec030f868b9dddcf4d5be2748cd023bef9c0f2dc9cfa0e7740435ba160d538182ac51379881c46818d06abda74ef6963 |
C:\Users\Admin\AppData\Local\Temp\0b8b8d2f-b948-45e1-ba86-92f8fa81ce8e.vbs
| MD5 | fdfb4af7567e5cc5ae43b2a2db2234d8 |
| SHA1 | d833fbd2395d88a3fce70394f0eb7e0dcdee9da6 |
| SHA256 | c36cf10ba5015bdac9abf94fb95dd168c9ab6bf568adb8ecf7cf8f8bbdd612bc |
| SHA512 | 11c10a0d96e68f1ac0ef9633662218d471c4d06a05b78034dfc56bbfd75281b7de8cfced539200f1805fce2271c272fad581371bc5a7dd1c992633fd9f95a60d |
C:\Users\Admin\AppData\Local\Temp\345527d2-b120-4058-a96f-86b51cde28d1.vbs
| MD5 | ef443ed7fe177bf41c988631e91ffffe |
| SHA1 | 0ca5d917fa585e1d139c88539966ea9c3b455e70 |
| SHA256 | a25a9d708855c04d434bfe93ced676de5ee6f8f0ca88de7437dbeb3f504b7653 |
| SHA512 | a165b09804dcd3ef4913b623439d870e78275b4ecc745b3ff9b54b66cbade26a36fc0adddffd42e6ce8404ff40d413d1cac479523036d6b0603041a9173b8221 |