Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 18:41

General

  • Target

    RustUpdater.exe

  • Size

    2.3MB

  • MD5

    50d955b49b2a8878cdd683365c83e183

  • SHA1

    9ce5bc5c6d2d71eacdd88fbdd478dd241bb96244

  • SHA256

    528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78

  • SHA512

    6ddb253922211164c8a236e733fa80c596fc68e6a9b3cc79f4d0e60fc7b7c01978633dd84151ca85773a0c906d8e288a34ba5d017fef4e50b094a9d808033fb2

  • SSDEEP

    49152:HYcIk1q0oClfViBnxZgY4PVOZovFNf5qcusO4Dmu657stUQ+h:HY1k1boAfVizZLoRvgcgQmubkh

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 21 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 19 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe
          "C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1276
          • C:\Recovery\WindowsRE\unsecapp.exe
            "C:\Recovery\WindowsRE\unsecapp.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1096
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ac3c2a-f314-4710-b981-84eb51ef3a3e.vbs"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:452
              • C:\Recovery\WindowsRE\unsecapp.exe
                C:\Recovery\WindowsRE\unsecapp.exe
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5472
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\095f2e49-acdd-4e6c-a1e6-037f20500a3c.vbs"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5580
                  • C:\Recovery\WindowsRE\unsecapp.exe
                    C:\Recovery\WindowsRE\unsecapp.exe
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5736
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c51665ca-a737-431b-8bb0-00ad60c59b0e.vbs"
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5840
                      • C:\Recovery\WindowsRE\unsecapp.exe
                        C:\Recovery\WindowsRE\unsecapp.exe
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5976
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aee2bb53-6c3c-4b42-a51d-fdb66ddca660.vbs"
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:6088
                          • C:\Recovery\WindowsRE\unsecapp.exe
                            C:\Recovery\WindowsRE\unsecapp.exe
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1520
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e15135f3-62af-4f55-bd90-6295a6463c8a.vbs"
                              14⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2780
                              • C:\Recovery\WindowsRE\unsecapp.exe
                                C:\Recovery\WindowsRE\unsecapp.exe
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:5252
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4ec5dab-ec83-46d2-aeae-3a11613e2bd5.vbs"
                                  16⤵
                                    PID:3808
                                    • C:\Recovery\WindowsRE\unsecapp.exe
                                      C:\Recovery\WindowsRE\unsecapp.exe
                                      17⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4812
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d4b2bb3-c7b8-4232-aa3d-95bfbb08a5dd.vbs"
                                        18⤵
                                          PID:5488
                                          • C:\Recovery\WindowsRE\unsecapp.exe
                                            C:\Recovery\WindowsRE\unsecapp.exe
                                            19⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5812
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735ac258-4e1e-4761-960d-8aa02da7749c.vbs"
                                              20⤵
                                                PID:5844
                                                • C:\Recovery\WindowsRE\unsecapp.exe
                                                  C:\Recovery\WindowsRE\unsecapp.exe
                                                  21⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4876
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2993e3de-13cf-4cc2-b4ff-325f79dfdfb6.vbs"
                                                    22⤵
                                                      PID:5176
                                                      • C:\Recovery\WindowsRE\unsecapp.exe
                                                        C:\Recovery\WindowsRE\unsecapp.exe
                                                        23⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4660
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69169b55-ffe5-4530-b6b7-1a8f5fc66b95.vbs"
                                                          24⤵
                                                            PID:2040
                                                            • C:\Recovery\WindowsRE\unsecapp.exe
                                                              C:\Recovery\WindowsRE\unsecapp.exe
                                                              25⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4616
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fa507fb-edac-4700-ae77-d63630b9d52d.vbs"
                                                                26⤵
                                                                  PID:3616
                                                                  • C:\Recovery\WindowsRE\unsecapp.exe
                                                                    C:\Recovery\WindowsRE\unsecapp.exe
                                                                    27⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:5212
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e380bc9b-7ed2-4625-897c-f10fb67e9a5f.vbs"
                                                                      28⤵
                                                                        PID:3556
                                                                        • C:\Recovery\WindowsRE\unsecapp.exe
                                                                          C:\Recovery\WindowsRE\unsecapp.exe
                                                                          29⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4932
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a134271c-494a-423e-a638-7a169c72276c.vbs"
                                                                            30⤵
                                                                              PID:2284
                                                                              • C:\Recovery\WindowsRE\unsecapp.exe
                                                                                C:\Recovery\WindowsRE\unsecapp.exe
                                                                                31⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2580
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa290b18-e870-4f24-893e-bc4fb911ec15.vbs"
                                                                                  32⤵
                                                                                    PID:5172
                                                                                    • C:\Recovery\WindowsRE\unsecapp.exe
                                                                                      C:\Recovery\WindowsRE\unsecapp.exe
                                                                                      33⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2524
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b8f8b8-d3d2-4e55-b6e4-7463419bcff4.vbs"
                                                                                        34⤵
                                                                                          PID:5932
                                                                                          • C:\Recovery\WindowsRE\unsecapp.exe
                                                                                            C:\Recovery\WindowsRE\unsecapp.exe
                                                                                            35⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2784
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c7538d8-c5f8-4162-bf9c-9edcfb6eb481.vbs"
                                                                                              36⤵
                                                                                                PID:4916
                                                                                                • C:\Recovery\WindowsRE\unsecapp.exe
                                                                                                  C:\Recovery\WindowsRE\unsecapp.exe
                                                                                                  37⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3692
                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d968f471-df42-461e-b513-6f4d0874105a.vbs"
                                                                                                    38⤵
                                                                                                      PID:4992
                                                                                                      • C:\Recovery\WindowsRE\unsecapp.exe
                                                                                                        C:\Recovery\WindowsRE\unsecapp.exe
                                                                                                        39⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:4344
                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c47d7458-7ebc-430a-9291-2f2600279c9a.vbs"
                                                                                                          40⤵
                                                                                                            PID:5896
                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9fca2f-7506-4ae2-a6df-a358d04a2e5c.vbs"
                                                                                                            40⤵
                                                                                                              PID:6064
                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23ee183b-e8bc-41da-97b1-766fb1548059.vbs"
                                                                                                          38⤵
                                                                                                            PID:2344
                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4362d34-fe4d-4dbd-bb8a-a5dd5028c1d7.vbs"
                                                                                                        36⤵
                                                                                                          PID:2432
                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33cb9dca-e6f8-4dd2-b52e-faf17f83eb5f.vbs"
                                                                                                      34⤵
                                                                                                        PID:2776
                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76b26f9-4f73-4645-961c-3de628f04ea6.vbs"
                                                                                                    32⤵
                                                                                                      PID:5640
                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f0b916-1b5b-4159-83ea-931b3ab474e8.vbs"
                                                                                                  30⤵
                                                                                                    PID:2780
                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9e0d53f-0381-4eb1-8700-c88d575b2694.vbs"
                                                                                                28⤵
                                                                                                  PID:3888
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9177ea3-c921-4ce0-9f03-42e7d72090e7.vbs"
                                                                                              26⤵
                                                                                                PID:880
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c59f4ef6-86a8-4635-95dd-3d9eb961dba3.vbs"
                                                                                            24⤵
                                                                                              PID:2004
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75840b2e-fb4f-468d-9f24-7a6d3e962575.vbs"
                                                                                          22⤵
                                                                                            PID:984
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bedcbfef-4e6e-458a-ae20-c057aea91f55.vbs"
                                                                                        20⤵
                                                                                          PID:6056
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c342f0b-4bdb-43f0-b42c-6418a9a707d9.vbs"
                                                                                      18⤵
                                                                                        PID:5500
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\572c531d-652d-4378-9024-324d5a593f46.vbs"
                                                                                    16⤵
                                                                                      PID:3856
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08d34ecb-8fa2-4ceb-9fb6-e5d2818d1ea0.vbs"
                                                                                  14⤵
                                                                                    PID:4664
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ba544b-bad9-4b2c-82e7-027e40456557.vbs"
                                                                                12⤵
                                                                                  PID:6132
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9813e787-cd73-4ae0-bff2-f1509b4ddbe1.vbs"
                                                                              10⤵
                                                                                PID:5888
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f0602db-7c4e-47a9-a397-ce1c266e82fc.vbs"
                                                                            8⤵
                                                                              PID:5624
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb94648-9fcc-4c16-99c9-d5bdc26a4a9d.vbs"
                                                                          6⤵
                                                                            PID:1640
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3608
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4956
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:5080
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1196
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:776
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4188
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3984
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3760
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4052
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:784
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1456
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:60
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1168
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:316
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1592
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1404
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2908
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2084
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3672
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1964
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4808
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4540
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:4716
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
                                                                  1⤵
                                                                  • Process spawned unexpected child process
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2100

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                                  SHA1

                                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                  SHA256

                                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                  SHA512

                                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  baf55b95da4a601229647f25dad12878

                                                                  SHA1

                                                                  abc16954ebfd213733c4493fc1910164d825cac8

                                                                  SHA256

                                                                  ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                  SHA512

                                                                  24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  62623d22bd9e037191765d5083ce16a3

                                                                  SHA1

                                                                  4a07da6872672f715a4780513d95ed8ddeefd259

                                                                  SHA256

                                                                  95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                                  SHA512

                                                                  9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  cadef9abd087803c630df65264a6c81c

                                                                  SHA1

                                                                  babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                  SHA256

                                                                  cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                  SHA512

                                                                  7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  2e907f77659a6601fcc408274894da2e

                                                                  SHA1

                                                                  9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                  SHA256

                                                                  385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                  SHA512

                                                                  34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  bd5940f08d0be56e65e5f2aaf47c538e

                                                                  SHA1

                                                                  d7e31b87866e5e383ab5499da64aba50f03e8443

                                                                  SHA256

                                                                  2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                                  SHA512

                                                                  c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                                • C:\Users\Admin\AppData\Local\Temp\095f2e49-acdd-4e6c-a1e6-037f20500a3c.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  83c22793523cc20820e3ecee47204469

                                                                  SHA1

                                                                  e399ae3808bf007fce43b82927bc7c557e9e0fe8

                                                                  SHA256

                                                                  4aacfc26e5eb3f9349757663f47e5fe6c3a35b914aa5c7dd4398e6bc23bd9277

                                                                  SHA512

                                                                  04571619b1ef27e721586b9145ecee16a8045499325c0cc63418b468f123e3b5bdfd78c008c23edb5f8a8ff82acccf49b87e33ca9cdb5d3db86fa32d8da91e0d

                                                                • C:\Users\Admin\AppData\Local\Temp\2993e3de-13cf-4cc2-b4ff-325f79dfdfb6.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  48d62bb13887542d56318d4dfd4ae2d4

                                                                  SHA1

                                                                  dbe495177097e826729f2f7c81b53d7c55be7638

                                                                  SHA256

                                                                  d52eb67b44662df3bbca3f6ea0c44ab5fc0ff15c82697bec448f21cc42e68779

                                                                  SHA512

                                                                  8b50655c21c9a7406a4ff16c4ae0be7d461c5fff12e3c60572a50b493fadf79dca3a581270079a437c157118ef97c6971d49c2f49afaa58c5c1269646f8564ff

                                                                • C:\Users\Admin\AppData\Local\Temp\2fa507fb-edac-4700-ae77-d63630b9d52d.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  5a6f446f6dfebf53ce2b8fc5a39bd668

                                                                  SHA1

                                                                  bda1251f7e1f633f924982e87adb41610b6f07f0

                                                                  SHA256

                                                                  878d9a03bf0787c6d730d2779f020df16f5ad74c8088febc87720a23edb551dd

                                                                  SHA512

                                                                  792b8c4eb1482efe5023691bee17accb260c59b506f9949fcb784388ab58b526c8ea28dd43cb46392f87589d8b159c1bcfadb83800d965a7e6d61f706bd1590d

                                                                • C:\Users\Admin\AppData\Local\Temp\38ac3c2a-f314-4710-b981-84eb51ef3a3e.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  ad1939b98c7c21dfb30ea4b4ba1b4d3b

                                                                  SHA1

                                                                  11cbfd5c905d3134e067237d3ad701de37ec6703

                                                                  SHA256

                                                                  191466c7d19a4309577189d384ff49611dce3612de29476d7ce5e8f214d8aaf7

                                                                  SHA512

                                                                  392ff69faf99a46ea413700fec0f48fee86eaad1a2d857aaa392726dda97a8f417abf39cd07386623e97307f096792e563760c450057e10b6522f8b1f21965b4

                                                                • C:\Users\Admin\AppData\Local\Temp\69169b55-ffe5-4530-b6b7-1a8f5fc66b95.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  a58b8ebed29806b58df522f3e6618bf2

                                                                  SHA1

                                                                  a8af9feb50928bc23f7488a2e92d6004b4430622

                                                                  SHA256

                                                                  36c99e3cba11f999431cf507d88560336fc2463d65db0a954dfdc6fadcb881b2

                                                                  SHA512

                                                                  4effc3d5906dab8269553dc3dca2df9a887c9108d8503fc17c565b0740a72f23eb2b1dcaa09cb705627952efb483076775e1fcbb5427d9e1116d19db808c8576

                                                                • C:\Users\Admin\AppData\Local\Temp\735ac258-4e1e-4761-960d-8aa02da7749c.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  bd48459dfedef74068de18da8497a6db

                                                                  SHA1

                                                                  f3b2d5b34d263097a8ed9c88ebad3156e606ba28

                                                                  SHA256

                                                                  325da944e8c9293d887931aaa4e07666c9160a628eafee9bde0ba22eabf2151c

                                                                  SHA512

                                                                  852c57c06afea810ae67c43c4e07df9c4b54b7c9d38c7bc0316e33d84eb81352a81f4207ae0c309b2ed97424d634f0af1683dda966bcc71a71baad90af673b89

                                                                • C:\Users\Admin\AppData\Local\Temp\8d4b2bb3-c7b8-4232-aa3d-95bfbb08a5dd.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  45adb68c5dffa8cabf470da62f5d1b3b

                                                                  SHA1

                                                                  9c8a85db712c206c8feed2a39c7cd273aa124928

                                                                  SHA256

                                                                  d95bfc615d3a4b583f380988af80e9c911084de8aca13190c713e3411151093e

                                                                  SHA512

                                                                  195bd67da80143b667f75407b9da2ec780ad4dfc03345ddaaee28d0e9c43ec2cec2f09f8796974c747589fd10d18745c0f5abf9e895113d8bddc233b8cbc4cd2

                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgjh5gii.kot.psm1

                                                                  Filesize

                                                                  60B

                                                                  MD5

                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                  SHA1

                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                  SHA256

                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                  SHA512

                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                • C:\Users\Admin\AppData\Local\Temp\aee2bb53-6c3c-4b42-a51d-fdb66ddca660.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  82d34c7e3919f3b47f326838aff1b696

                                                                  SHA1

                                                                  147f33539ec68166a28672cbd97d6ba768a385c6

                                                                  SHA256

                                                                  b73d0b291698b83e689e5f074ea0edc6998f71db44c35ade9439ac1f941e4c30

                                                                  SHA512

                                                                  36222f28d37e7f758fea15895b51cc1c95715a30967397fc2ca983f6dae4739f239697f785bf6f4cbd34acd0d8c7cc2daf0ac78a5d949c4c20a1bf650c1699b5

                                                                • C:\Users\Admin\AppData\Local\Temp\c51665ca-a737-431b-8bb0-00ad60c59b0e.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  addad0c7ad925179c2eacffbe6cdb1d9

                                                                  SHA1

                                                                  928e4fc41804822f85951702a45c158083b2089b

                                                                  SHA256

                                                                  ceddb55954d7c8e3641c0873c6e236fe5997f768291630241cb12219fff5702d

                                                                  SHA512

                                                                  f41a268400fab0f86c9d330a2fd502feefb6cc1a5554cdf8fd1557b18ea9b95c8e5ca6453a8fd1510ab9d903680ee27099b876df01b11fd913075b9bab68ff19

                                                                • C:\Users\Admin\AppData\Local\Temp\cdb94648-9fcc-4c16-99c9-d5bdc26a4a9d.vbs

                                                                  Filesize

                                                                  486B

                                                                  MD5

                                                                  26394524fd10807c1b8dd1f388eee584

                                                                  SHA1

                                                                  c89aa8511a574b57ffac5a219feabb95067a84f9

                                                                  SHA256

                                                                  f7d1355df334043d7def2ba55f04e20dffb6a3e00d7e7e024b7538be75126cec

                                                                  SHA512

                                                                  5ffd74e238cc4e382dc749ef12547f38b37780d8869a9028a99a3ce49931493331793a037ff50f5a7bb50cbe0f46870b3ad7fd0c1d79d26f7a192a1d589b2343

                                                                • C:\Users\Admin\AppData\Local\Temp\d4ec5dab-ec83-46d2-aeae-3a11613e2bd5.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  da1b384f56113a1c976aac4474d02416

                                                                  SHA1

                                                                  6bf3b74d370b6079e272aea079449c0f067594b8

                                                                  SHA256

                                                                  3545617a63ea7102015ce76f1101ad69c93624c4b6501847dbd9a0b7436a5296

                                                                  SHA512

                                                                  4580b4dddef4c60a216144fad3ae7abe594d352e02c74f7f1f2c4f0e98150d0f287c58202547bce62a836c25efe0a7279b64a309eee3aaa65571dc5313a2b40e

                                                                • C:\Users\Admin\AppData\Local\Temp\e15135f3-62af-4f55-bd90-6295a6463c8a.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  62af778666934a3bcee6bfd82d8801db

                                                                  SHA1

                                                                  7b188db1ad5b37282f8cc364ffadb22f92f584ed

                                                                  SHA256

                                                                  14c80fa92ee22d36f36b56684482e4714b958e7e8b246c036feb65e6360c8fc0

                                                                  SHA512

                                                                  98ff9b225c028b8aa098feae2dc913d7b15199e92f7663328a3aeb6a87bf5513c386f6f1d2f422a92eae1e62e08a628266b5d4237b0aab4b50878bf9c5801198

                                                                • C:\Users\Admin\AppData\Local\Temp\e380bc9b-7ed2-4625-897c-f10fb67e9a5f.vbs

                                                                  Filesize

                                                                  710B

                                                                  MD5

                                                                  a82185a84cc513be5ff35a0afec2206f

                                                                  SHA1

                                                                  7c802111c04453add33d2a4bec468536b9b469b5

                                                                  SHA256

                                                                  5df7db4eacd5270bbb7a89cccf3218bc2a179ea27952886e73fb66f912afe60e

                                                                  SHA512

                                                                  337a95fb67ac750ed057fe624a0c7d60bc345625e477fee64f37142b7ab0bc71c350c8cebfc333b16eeace7019dc5d8d9506f730cf28de74d19484beb5a9dae6

                                                                • C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat

                                                                  Filesize

                                                                  48B

                                                                  MD5

                                                                  8f2fe00117d8cf1e8f32eb7bf7c5ab82

                                                                  SHA1

                                                                  952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9

                                                                  SHA256

                                                                  02e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba

                                                                  SHA512

                                                                  6fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077

                                                                • C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe

                                                                  Filesize

                                                                  1.0MB

                                                                  MD5

                                                                  50c3534dacb3359079f8fca6b702e98e

                                                                  SHA1

                                                                  85cd176c6f7c97017547aaf9b1133ca3d1fb1885

                                                                  SHA256

                                                                  867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de

                                                                  SHA512

                                                                  a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750

                                                                • C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe

                                                                  Filesize

                                                                  222B

                                                                  MD5

                                                                  4dad95df8fa0e085b45537e5be8778f6

                                                                  SHA1

                                                                  044c0c326db9f180d8c79f7fd7719fac3abc69d3

                                                                  SHA256

                                                                  b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b

                                                                  SHA512

                                                                  4a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376

                                                                • memory/532-65-0x0000024FF9900000-0x0000024FF9922000-memory.dmp

                                                                  Filesize

                                                                  136KB

                                                                • memory/1440-10-0x0000000000B60000-0x0000000000F46000-memory.dmp

                                                                  Filesize

                                                                  3.9MB

                                                                • memory/1440-0-0x0000000000B60000-0x0000000000F46000-memory.dmp

                                                                  Filesize

                                                                  3.9MB

                                                                • memory/4864-20-0x00000000025B0000-0x00000000025BA000-memory.dmp

                                                                  Filesize

                                                                  40KB

                                                                • memory/4864-16-0x0000000000200000-0x000000000030A000-memory.dmp

                                                                  Filesize

                                                                  1.0MB

                                                                • memory/4864-15-0x00007FF929CC3000-0x00007FF929CC5000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/4864-17-0x0000000002420000-0x0000000002428000-memory.dmp

                                                                  Filesize

                                                                  32KB

                                                                • memory/4864-18-0x0000000002430000-0x000000000243C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/4864-19-0x0000000002550000-0x000000000255C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/4864-22-0x0000000002570000-0x000000000257C000-memory.dmp

                                                                  Filesize

                                                                  48KB

                                                                • memory/4864-21-0x0000000002560000-0x0000000002568000-memory.dmp

                                                                  Filesize

                                                                  32KB