Resubmissions

25-09-2024 18:20

240925-wy2v4atbmg 10

25-09-2024 18:14

240925-wvqcwsshpe 10

Analysis

  • max time kernel
    1800s
  • max time network
    1796s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 18:20

General

  • Target

    b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

  • Size

    4.9MB

  • MD5

    5a9fb15e8fc1d8162c861ca1544f38f0

  • SHA1

    a7606e286eb27a1a5e95693c594de5c65c5d7aa1

  • SHA256

    b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a

  • SHA512

    a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 64 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 64 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
    "C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwmW5ZiuB3.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1944
        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
          3⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2816
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2444
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb1eaeb-6187-415e-978f-b68aa8e53c70.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2868
                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2440
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a957ed-c25f-4329-a969-4602cc19c6d6.vbs"
                    8⤵
                      PID:2588
                      • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                        "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                        9⤵
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2852
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1e55dd-f46d-4bab-bf94-d978cde6df20.vbs"
                          10⤵
                            PID:1740
                            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1940
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef105459-3e1e-4d47-9632-0b5048fae436.vbs"
                                12⤵
                                  PID:1964
                                  • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                    "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1064
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1477a36b-e1b5-4cd9-9369-c11203a3d45c.vbs"
                                      14⤵
                                        PID:2320
                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2532
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\974d9147-ea43-4c17-a2de-ec4ceeb32ca5.vbs"
                                            16⤵
                                              PID:2900
                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:884
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291d1841-97a1-4377-a667-b8cba52acf26.vbs"
                                                  18⤵
                                                    PID:2652
                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:1108
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a781c9-34ce-4a67-9589-762570e27eb0.vbs"
                                                        20⤵
                                                          PID:1732
                                                          • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                            "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1612
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0469aeb-e29a-4161-9451-29994f373be2.vbs"
                                                              22⤵
                                                                PID:1500
                                                                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2512
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2f80a40-0455-4dc4-9944-654a54be4a05.vbs"
                                                                    24⤵
                                                                      PID:1004
                                                                      • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                        "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                        25⤵
                                                                        • UAC bypass
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:572
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa74fcd7-1681-45ab-af55-0c17c74bbdaf.vbs"
                                                                          26⤵
                                                                            PID:912
                                                                            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                              27⤵
                                                                              • UAC bypass
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:2252
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d143383-7fcf-4ace-8c27-5d0cb288723e.vbs"
                                                                                28⤵
                                                                                  PID:1428
                                                                                  • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                    "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                    29⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • System policy modification
                                                                                    PID:1848
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cc5acc9-5221-46cf-b352-0e5cfe853300.vbs"
                                                                                      30⤵
                                                                                        PID:1956
                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                          31⤵
                                                                                          • UAC bypass
                                                                                          • Executes dropped EXE
                                                                                          • Checks whether UAC is enabled
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • System policy modification
                                                                                          PID:2148
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb34b2de-7d9f-4bae-9791-51a4d7c06080.vbs"
                                                                                            32⤵
                                                                                              PID:1576
                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                33⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2880
                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e80b1a9-f08a-4f81-86f3-ed16a1140d7e.vbs"
                                                                                                  34⤵
                                                                                                    PID:2588
                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                      35⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Checks whether UAC is enabled
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • System policy modification
                                                                                                      PID:1740
                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1f929d-98a8-4342-a855-ee152fc6fa8e.vbs"
                                                                                                        36⤵
                                                                                                          PID:2384
                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                            "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                            37⤵
                                                                                                            • UAC bypass
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:1756
                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a5dfbf2-6f1b-40c8-b87a-599fe25ac2db.vbs"
                                                                                                              38⤵
                                                                                                                PID:1792
                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                  39⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1508
                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9493a9a-16e8-459d-9468-3c457eb683f0.vbs"
                                                                                                                    40⤵
                                                                                                                      PID:1288
                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                        "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                        41⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Checks whether UAC is enabled
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:2960
                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a64125a-3628-4029-81a6-606c2ef2c7c0.vbs"
                                                                                                                          42⤵
                                                                                                                            PID:1768
                                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                              43⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Checks whether UAC is enabled
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              • System policy modification
                                                                                                                              PID:1032
                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2730f9c1-5954-4f90-9195-43099133bb10.vbs"
                                                                                                                                44⤵
                                                                                                                                  PID:2004
                                                                                                                                  • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                    "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                    45⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:2340
                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a873253-3fca-4b09-9298-a96040251e8e.vbs"
                                                                                                                                      46⤵
                                                                                                                                        PID:1916
                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                          47⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          • System policy modification
                                                                                                                                          PID:1400
                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c80a1c4-4e97-4139-ab68-034aabb694a1.vbs"
                                                                                                                                            48⤵
                                                                                                                                              PID:2556
                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                49⤵
                                                                                                                                                • UAC bypass
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2668
                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a437a4c1-adb9-4273-8f0f-6da40c12cac4.vbs"
                                                                                                                                                  50⤵
                                                                                                                                                    PID:2536
                                                                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                      51⤵
                                                                                                                                                      • UAC bypass
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      • System policy modification
                                                                                                                                                      PID:2812
                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a18ebea0-8d75-4bef-b4d8-e274315d075a.vbs"
                                                                                                                                                        52⤵
                                                                                                                                                          PID:2228
                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                            "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                            53⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                            • System policy modification
                                                                                                                                                            PID:2076
                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90b43bd8-abe3-40fa-bda8-8fdb130317dc.vbs"
                                                                                                                                                              54⤵
                                                                                                                                                                PID:1772
                                                                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                  55⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:2404
                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c9a0ba-958f-4d7e-bf68-ecd593a8ef12.vbs"
                                                                                                                                                                54⤵
                                                                                                                                                                  PID:2084
                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8522b6de-e88c-4581-b361-123d34e735b7.vbs"
                                                                                                                                                              52⤵
                                                                                                                                                                PID:1324
                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\592ab024-09be-4bd6-b5bc-184908320269.vbs"
                                                                                                                                                            50⤵
                                                                                                                                                              PID:2248
                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1803fcf7-2912-45e5-af56-dbeb13c856d0.vbs"
                                                                                                                                                          48⤵
                                                                                                                                                            PID:1108
                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0136ae81-dba5-40f1-b484-7d0cec927eee.vbs"
                                                                                                                                                        46⤵
                                                                                                                                                          PID:1004
                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb4df6a1-d195-46cd-824e-17ef2e406e0e.vbs"
                                                                                                                                                      44⤵
                                                                                                                                                        PID:532
                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67549861-7820-40e4-8bbe-ec0d93d02377.vbs"
                                                                                                                                                    42⤵
                                                                                                                                                      PID:576
                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2144448b-de06-41b1-8db0-31feac3ee96b.vbs"
                                                                                                                                                  40⤵
                                                                                                                                                    PID:2288
                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f1ca7e-d6b0-4432-bcd8-5d4b011468ea.vbs"
                                                                                                                                                38⤵
                                                                                                                                                  PID:2184
                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e365e2fe-0ebb-4218-8f90-3cdff504c246.vbs"
                                                                                                                                              36⤵
                                                                                                                                                PID:2884
                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c2d7589-5d94-4526-bcb6-e9d8ae43daca.vbs"
                                                                                                                                            34⤵
                                                                                                                                              PID:2200
                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f378fe0-f77b-4570-9d08-16c300f5c284.vbs"
                                                                                                                                          32⤵
                                                                                                                                            PID:2144
                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5090c9dc-264c-424f-b112-1d051a3ad28c.vbs"
                                                                                                                                        30⤵
                                                                                                                                          PID:1132
                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad009bc7-c7f4-4b47-9657-f93458490cd9.vbs"
                                                                                                                                      28⤵
                                                                                                                                        PID:2272
                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e690dd7-b0e9-4157-8fac-273162c5a735.vbs"
                                                                                                                                    26⤵
                                                                                                                                      PID:2732
                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4daf1837-0be6-4da3-b831-fe34e5beb302.vbs"
                                                                                                                                  24⤵
                                                                                                                                    PID:1208
                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f504e58-2dc6-4995-9448-b333fad48092.vbs"
                                                                                                                                22⤵
                                                                                                                                  PID:996
                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7954474d-213c-456a-975b-eafd3d1b9e57.vbs"
                                                                                                                              20⤵
                                                                                                                                PID:2832
                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92d3eb91-94e4-45e2-bf51-765c65d97989.vbs"
                                                                                                                            18⤵
                                                                                                                              PID:540
                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4fa3bab-3d05-42a2-925b-c8d7f893297e.vbs"
                                                                                                                          16⤵
                                                                                                                            PID:1680
                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4adce45-683c-482a-bd38-635d15925729.vbs"
                                                                                                                        14⤵
                                                                                                                          PID:2484
                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cb3bc06-7f64-4d3a-9f41-ddbbdb9c7ef8.vbs"
                                                                                                                      12⤵
                                                                                                                        PID:2000
                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f35bb97-dc50-4e94-87f8-4e2992fc0852.vbs"
                                                                                                                    10⤵
                                                                                                                      PID:2364
                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"
                                                                                                                  8⤵
                                                                                                                    PID:880
                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02df486-ce78-4e0b-a26e-e5661bc9e67b.vbs"
                                                                                                                6⤵
                                                                                                                  PID:316
                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"
                                                                                                              4⤵
                                                                                                                PID:2452
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2728
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2812
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2572
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2676
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2816
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2972
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2276
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1780
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1088
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:108
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2536
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2896
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2180
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:336
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2060
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2980
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2828
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2196
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\lsm.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:780
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2332
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2164
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2168
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2444
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:532
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1288
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:3036
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2220
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:3016
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2208
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\ext\spoolsv.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1944
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:3056
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN" /sc ONLOGON /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2428
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2160
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1560
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:912
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:616
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1028
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2044
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2216
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\lsass.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1828
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1936
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1856
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2144
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2296
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2472
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1008
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1428
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
                                                                                                          1⤵
                                                                                                          • Process spawned unexpected child process
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:592
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          "C:\Windows\explorer.exe"
                                                                                                          1⤵
                                                                                                            PID:2992
                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs"
                                                                                                            1⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:1508
                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:1264
                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"
                                                                                                            1⤵
                                                                                                              PID:2920
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ose00000.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
                                                                                                              1⤵
                                                                                                                PID:2980
                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"
                                                                                                                1⤵
                                                                                                                  PID:1944
                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"
                                                                                                                  1⤵
                                                                                                                    PID:2600
                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67af23b6-6050-4eb2-85bc-861d06e5db4b.vbs"
                                                                                                                    1⤵
                                                                                                                      PID:2376
                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f35bb97-dc50-4e94-87f8-4e2992fc0852.vbs"
                                                                                                                      1⤵
                                                                                                                        PID:2052
                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs"
                                                                                                                        1⤵
                                                                                                                          PID:2520
                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                          taskeng.exe {39632321-4B8B-46E4-90AD-918B059923E1} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
                                                                                                                          1⤵
                                                                                                                            PID:2752
                                                                                                                            • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                              "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                              2⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:544
                                                                                                                            • C:\Users\Admin\Recent\lsass.exe
                                                                                                                              C:\Users\Admin\Recent\lsass.exe
                                                                                                                              2⤵
                                                                                                                              • UAC bypass
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              • System policy modification
                                                                                                                              PID:2572
                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebb3f657-2170-4fdb-a77c-40bd09429a8c.vbs"
                                                                                                                                3⤵
                                                                                                                                  PID:480
                                                                                                                                  • C:\Users\Admin\Recent\lsass.exe
                                                                                                                                    C:\Users\Admin\Recent\lsass.exe
                                                                                                                                    4⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:2708
                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a777996-dc29-428b-9633-ebe7a2f2aea0.vbs"
                                                                                                                                  3⤵
                                                                                                                                    PID:1796
                                                                                                                                • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                  2⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:2472
                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55773280-a79a-4d68-a74f-6edcbda25920.vbs"
                                                                                                                                    3⤵
                                                                                                                                      PID:2100
                                                                                                                                      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                        4⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        • System policy modification
                                                                                                                                        PID:2844
                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a149f6-4eca-4ee6-a35f-64c34b785168.vbs"
                                                                                                                                          5⤵
                                                                                                                                            PID:2720
                                                                                                                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                              "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                              6⤵
                                                                                                                                              • UAC bypass
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:2384
                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f641df2f-85a5-439d-9c9b-45965566bce2.vbs"
                                                                                                                                                7⤵
                                                                                                                                                  PID:1156
                                                                                                                                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                                    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                                    8⤵
                                                                                                                                                    • UAC bypass
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    • System policy modification
                                                                                                                                                    PID:644
                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2095675a-7db6-485e-b3ed-82c97bebced1.vbs"
                                                                                                                                                      9⤵
                                                                                                                                                        PID:2632
                                                                                                                                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                                          "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                                          10⤵
                                                                                                                                                          • UAC bypass
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:1708
                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9418e24c-8b4b-4cb9-b9bf-46030d3992d4.vbs"
                                                                                                                                                            11⤵
                                                                                                                                                              PID:2608
                                                                                                                                                              • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                                                "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                                                12⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                • System policy modification
                                                                                                                                                                PID:1432
                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf2fbef-3193-40ce-88a7-c49f0c1ade77.vbs"
                                                                                                                                                                  13⤵
                                                                                                                                                                    PID:2008
                                                                                                                                                                    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                                                      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                                                      14⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:2536
                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508407be-1f06-4c6b-a12b-dcf9a9c15861.vbs"
                                                                                                                                                                    13⤵
                                                                                                                                                                      PID:644
                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c07a5a5-55ee-47bc-bde0-ec3dc5c8b708.vbs"
                                                                                                                                                                  11⤵
                                                                                                                                                                    PID:1304
                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba8ad9b3-c94d-47dc-af10-b337f0163c91.vbs"
                                                                                                                                                                9⤵
                                                                                                                                                                  PID:1028
                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8533d52-2c36-4c76-b5d7-289bf66777e4.vbs"
                                                                                                                                                              7⤵
                                                                                                                                                                PID:1616
                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564dca90-8d9b-43bf-85d1-fed76beb7496.vbs"
                                                                                                                                                            5⤵
                                                                                                                                                              PID:2416
                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc8e4ecb-0802-45b8-aa9f-733f711b684c.vbs"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:1784
                                                                                                                                                        • C:\Program Files\Java\jre7\lib\ext\spoolsv.exe
                                                                                                                                                          "C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"
                                                                                                                                                          2⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:2076
                                                                                                                                                        • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe
                                                                                                                                                          C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe
                                                                                                                                                          2⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:1652
                                                                                                                                                        • C:\Windows\Tasks\lsm.exe
                                                                                                                                                          C:\Windows\Tasks\lsm.exe
                                                                                                                                                          2⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:2656
                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                          2⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:932
                                                                                                                                                        • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                          C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                          2⤵
                                                                                                                                                          • UAC bypass
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                          PID:2380
                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53c138d4-b9c2-453f-bb1f-61021705a189.vbs"
                                                                                                                                                            3⤵
                                                                                                                                                              PID:568
                                                                                                                                                              • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                4⤵
                                                                                                                                                                • UAC bypass
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:2960
                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e8427a7-1714-4506-b99d-0103d3e24b2c.vbs"
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:1708
                                                                                                                                                                    • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                      C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                      6⤵
                                                                                                                                                                      • UAC bypass
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:2644
                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b840d9-7e54-424f-8a5c-6ea3c03eeddf.vbs"
                                                                                                                                                                        7⤵
                                                                                                                                                                          PID:1548
                                                                                                                                                                          • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                            C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                            8⤵
                                                                                                                                                                            • UAC bypass
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                            • System policy modification
                                                                                                                                                                            PID:2924
                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44afce48-c99a-451d-be4e-035cbb7ae94b.vbs"
                                                                                                                                                                              9⤵
                                                                                                                                                                                PID:2088
                                                                                                                                                                                • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                  C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                  10⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                  PID:1356
                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40226343-97f3-4601-a5e1-207f6320ca89.vbs"
                                                                                                                                                                                    11⤵
                                                                                                                                                                                      PID:2992
                                                                                                                                                                                      • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                        C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                        12⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                        PID:2028
                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\743ed8c6-16bc-47d6-83a2-dfa2ce512bd1.vbs"
                                                                                                                                                                                          13⤵
                                                                                                                                                                                            PID:2188
                                                                                                                                                                                            • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                              C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                              14⤵
                                                                                                                                                                                              • UAC bypass
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:2024
                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d7f3a56-8236-4e71-94f4-a1af4c81688c.vbs"
                                                                                                                                                                                                15⤵
                                                                                                                                                                                                  PID:1708
                                                                                                                                                                                                  • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                    C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:2312
                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d1574bc-ec77-4806-80bd-768b526d1b57.vbs"
                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                        PID:2812
                                                                                                                                                                                                        • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                          C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                          PID:924
                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8d3072-5729-473a-bb5c-e45eb0f7fd60.vbs"
                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                              PID:2096
                                                                                                                                                                                                              • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                PID:2940
                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6ca37f5-2f06-49bf-8ef4-62ba9246ced6.vbs"
                                                                                                                                                                                                                  21⤵
                                                                                                                                                                                                                    PID:2500
                                                                                                                                                                                                                    • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                      C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                      PID:3000
                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64b59c83-5bb6-447a-869e-c821b345ca0d.vbs"
                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                          PID:2932
                                                                                                                                                                                                                          • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                            C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                            24⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:2692
                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c274ea9-eb94-4f9c-9a12-886ad95bd2f9.vbs"
                                                                                                                                                                                                                          23⤵
                                                                                                                                                                                                                            PID:1708
                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41c255dd-418b-4e35-82e3-e3bf7c5431c1.vbs"
                                                                                                                                                                                                                        21⤵
                                                                                                                                                                                                                          PID:932
                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6295eceb-3587-4bc8-9202-a8876093b766.vbs"
                                                                                                                                                                                                                      19⤵
                                                                                                                                                                                                                        PID:2524
                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd1d6a00-6f0b-4569-a0e6-8dd32f7336f0.vbs"
                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                      PID:1020
                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3943177b-bb31-435d-9f68-2879a44068c5.vbs"
                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                    PID:2032
                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5a3fde1-1079-42c7-a847-07c47890c8a0.vbs"
                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                  PID:1808
                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47604fe8-6df4-4877-9d57-55637f978d72.vbs"
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                PID:1372
                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2722513-b67c-4d75-bdfb-2f2ba1f444b9.vbs"
                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                              PID:2356
                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42ee279d-2c00-4cf8-93e4-89765792e852.vbs"
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                            PID:2788
                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e53bba19-005b-48ba-a400-e62434ba43e3.vbs"
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:968
                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a790dfab-8088-4f09-9ba0-6a71f8e006f0.vbs"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1960
                                                                                                                                                                                                    • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                      "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:2444
                                                                                                                                                                                                    • C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
                                                                                                                                                                                                      C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:480
                                                                                                                                                                                                    • C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                      C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:884
                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                      PID:2036
                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2aa7c6e-5709-4ad3-875d-8969b7772884.vbs"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:2148
                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                            • UAC bypass
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            PID:2088
                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f3c047a-00c0-4ed6-a3c2-0990a7d77b82.vbs"
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                PID:956
                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                  PID:1764
                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b345bebd-5d31-45b4-9afa-b91cae7a773b.vbs"
                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                      PID:2296
                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                        • UAC bypass
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                        • System policy modification
                                                                                                                                                                                                                        PID:1904
                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4487b1bc-2e22-4de5-b88c-8736fefee706.vbs"
                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                            PID:328
                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                              • UAC bypass
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                              • System policy modification
                                                                                                                                                                                                                              PID:1740
                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f366ad9-42c0-4c8b-9f13-94674777a419.vbs"
                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                  PID:600
                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                    PID:2992
                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db715930-6723-44cb-bbcd-789cd77007b7.vbs"
                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                        PID:780
                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                            PID:1792
                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca795d0-6d4b-4fb7-a7d7-ea2a42fea0cc.vbs"
                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                            PID:1588
                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34062494-f033-4368-b1b8-7d6bb19f3091.vbs"
                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                          PID:2712
                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6574cb59-fe3c-436a-9ea1-d003cb4570e5.vbs"
                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                        PID:2608
                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7ec0fe-c938-49ec-a116-aa2fe7e56828.vbs"
                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                      PID:2400
                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab1b8ed7-f92d-46c5-ade6-ff762fc5acb4.vbs"
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                    PID:2312
                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb8b9906-758a-4005-8707-0d558b6e2599.vbs"
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:2320
                                                                                                                                                                                                                              • C:\Users\Default\Saved Games\explorer.exe
                                                                                                                                                                                                                                "C:\Users\Default\Saved Games\explorer.exe"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:2296
                                                                                                                                                                                                                              • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                PID:544
                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68e9d80-dc4e-4dab-b8a8-90760d329f8a.vbs"
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:2160
                                                                                                                                                                                                                                    • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                      "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                      PID:1848
                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb2c8bd2-5814-49c5-9e9c-e73cded7fbf0.vbs"
                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                          PID:2536
                                                                                                                                                                                                                                          • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                            "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                            PID:2124
                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7d157a-0fcc-4272-879c-7cb160b9d3e6.vbs"
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                PID:1636
                                                                                                                                                                                                                                                • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                  "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                    PID:1656
                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b672e89f-6ecb-4cbe-bd67-b2ac71ac173a.vbs"
                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                        PID:1428
                                                                                                                                                                                                                                                        • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                          "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                          PID:2844
                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b62c7658-4df7-4a27-9974-3f78506e9fb7.vbs"
                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                              PID:3048
                                                                                                                                                                                                                                                              • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                  PID:2160
                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f552f3-f7bc-49a5-a2e8-b76b74487c3d.vbs"
                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                      PID:3160
                                                                                                                                                                                                                                                                      • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                        "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                                          PID:3324
                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9038819e-8166-4afb-a2d8-3e20446c2cba.vbs"
                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                          PID:3220
                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e662146b-b874-409a-9631-343c31195a91.vbs"
                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                        PID:2252
                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4960acb5-38e4-476d-b58c-8d9e9ba76553.vbs"
                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                      PID:544
                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8adf81c3-dc79-4118-802d-4284beb88cee.vbs"
                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                    PID:2584
                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a677a3f-2ca9-4e68-8348-2ece52d293d8.vbs"
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                  PID:780
                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\330c5bcf-ce0b-4189-8816-8aeb67db4e22.vbs"
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:2384
                                                                                                                                                                                                                                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                                                                                                                                              "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:2204
                                                                                                                                                                                                                                                              • C:\Program Files\Java\jre7\lib\ext\spoolsv.exe
                                                                                                                                                                                                                                                                "C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:940
                                                                                                                                                                                                                                                                • C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                                                                                  C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:3504
                                                                                                                                                                                                                                                                  • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe
                                                                                                                                                                                                                                                                    C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:3512
                                                                                                                                                                                                                                                                    • C:\Windows\Tasks\lsm.exe
                                                                                                                                                                                                                                                                      C:\Windows\Tasks\lsm.exe
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:3528
                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                        PID:3536
                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9165e0-cc3a-40b2-8813-ad8e1dabf8eb.vbs"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:3888
                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                              • UAC bypass
                                                                                                                                                                                                                                                                              • System policy modification
                                                                                                                                                                                                                                                                              PID:3108
                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27ca13c8-0325-40bd-a0ea-9b4ec16be2ed.vbs"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:3048
                                                                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                    PID:1656
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91b4c8c6-5903-4623-aea3-6815c58b66a3.vbs"
                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                        PID:3380
                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                          PID:1248
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1831e825-5231-4c9f-bc29-63247c122fc3.vbs"
                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                              PID:3448
                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                PID:3988
                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdcd68f-fb59-4784-b85a-d7b9ea2a07b7.vbs"
                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                    PID:3544
                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                      PID:3592
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4860e01f-09ef-4c73-9c3f-6435d88c9dda.vbs"
                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                          PID:3312
                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                            • System policy modification
                                                                                                                                                                                                                                                                                                            PID:588
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7aed086-5bda-4151-80c5-0def7ac118f5.vbs"
                                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                                PID:3420
                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                    PID:1656
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e575393-f82b-4ad6-856d-57b9d3a61a86.vbs"
                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                        PID:2952
                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                                                          PID:3812
                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19590dc-2eb3-4bff-a75d-7d636c337015.vbs"
                                                                                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                                                                                              PID:4052
                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                PID:3908
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1d098ee-bf98-4b3f-af69-01546596ab97.vbs"
                                                                                                                                                                                                                                                                                                                                  21⤵
                                                                                                                                                                                                                                                                                                                                    PID:3544
                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                      PID:3396
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c316e8b6-7b99-4898-85d0-e3058c438ae0.vbs"
                                                                                                                                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                                                                                                                                          PID:3416
                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                            24⤵
                                                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                            PID:3572
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b020b20b-0c5b-4ef2-a44c-4f174cc72abd.vbs"
                                                                                                                                                                                                                                                                                                                                              25⤵
                                                                                                                                                                                                                                                                                                                                                PID:4060
                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1848
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1bcc459-671b-493c-bd8f-e919ec3b6fe1.vbs"
                                                                                                                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3296
                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                          28⤵
                                                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                                                                                          PID:2552
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\353d9cfa-43fc-456e-916f-7a0ca3726f35.vbs"
                                                                                                                                                                                                                                                                                                                                                            29⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3348
                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                                PID:3452
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66b8fad-1172-4e82-8715-da4fdc125421.vbs"
                                                                                                                                                                                                                                                                                                                                                                  31⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:4036
                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                      32⤵
                                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                                      PID:4008
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79c49916-304e-4d94-beaa-e6200cf8d702.vbs"
                                                                                                                                                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:4080
                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                            34⤵
                                                                                                                                                                                                                                                                                                                                                                            • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                            PID:3896
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7197a734-a884-45c3-a50f-79262f722534.vbs"
                                                                                                                                                                                                                                                                                                                                                                              35⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3392
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                  36⤵
                                                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                  PID:1256
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b176fd30-5b8c-4a34-9ab9-2a6fd904e599.vbs"
                                                                                                                                                                                                                                                                                                                                                                                    37⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:3684
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                        38⤵
                                                                                                                                                                                                                                                                                                                                                                                        • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                        • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                        PID:3640
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c413a012-8714-4a95-ad60-19b6316ee68c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                          39⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:3536
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                              40⤵
                                                                                                                                                                                                                                                                                                                                                                                              • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                              PID:3756
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8680b574-ecc9-4518-b965-0d6484bf097d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                41⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:3468
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    42⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                    • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3404
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\004fcd9c-edda-459e-83b4-a56806cd8e75.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                      43⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:3120
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          44⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2564
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\659656d9-1df5-4c34-a67e-25363301eb0f.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                            45⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:3628
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2436
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffb2ed75-023d-48b7-8314-651d4f85f97d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                    47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1376
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3544
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf8ce99a-eb05-4f75-bf26-04a46d638a48.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                            49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3524
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3108
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\428da52a-3604-470b-b057-5902eaa13993.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                  51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3980
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4020
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\754d0ed4-7f61-4bd7-9723-4c5861408d9e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3816
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3560
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b5b71cc-fa12-40e3-94ba-d6f702bb73ba.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                              55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3592
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  56⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3864
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d97c17-869e-4520-8545-56ab51a367a2.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3564
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2720
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\570042b8-4769-46be-925c-f2e9289e426b.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3264
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3184
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6409692a-9c2b-4d72-befb-536aae14efa5.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    62⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f781d06-f57d-4d31-b5ee-581a8d0c9d8d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e08a1196-b5e5-44b1-b685-11bd8c713268.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3780
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9ffe74-28cf-438e-8c01-9865d782fb85.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2924
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e25829-5ded-4b58-a29d-09e1f17a932f.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4068
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4ee9d99-1404-4d6a-9891-ac148d55b715.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3528
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1003441e-f5a4-4ea3-accb-82f163a5ed4d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2620
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4512d7b-c20f-402c-8be6-21a53c439a4f.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2868
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b88d343-e3ba-40e7-a3da-9a8ed9800ed7.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4084
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67659cee-ed3a-4659-b112-dbf0aa54fc4c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3100
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7942f640-df32-47ed-9bf1-540fd93ef028.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3988
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3bea8da-085c-4b1e-b461-b2171a72c068.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2844
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\614a48d1-8ec4-4bd3-b807-4379d1f668a4.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                              39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4036
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2e5291a-2e1c-4927-9047-e5e7b924d519.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                            37⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3716
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d336ae63-5a53-4254-9a05-01851c93c85a.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                          35⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2992
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f183ecc-b65e-46cf-af0d-862755793078.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3144
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3b9b6d-cc31-4e21-8225-4269f6d2e05d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2952
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b18fc56d-8b59-4b3a-b6f8-78652be138d4.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                    29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3288
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96646a7d-d4d3-4cac-b1ea-f4660de91140.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3136
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529c7d6a-95ce-4777-878f-76a1ef4f0040.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                25⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3504
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8dd02c7-a8de-436e-b269-41fec808ca1a.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                              23⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:600
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacc9d16-a581-4bd9-98ce-0a450893b92e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                            21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3588
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72fef30b-806d-496d-a128-236923f44e76.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                          19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3708
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c077c7-50fa-4231-8b64-da4b3f34812a.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1640
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44610319-c55c-4868-b218-bdf4803bfe5c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3000
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8830da6-9803-41a4-a4de-b9f24923f221.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1964
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ba9a05-443e-40ce-a108-be077d910471.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3552
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ca4e411-a5ac-471a-ba9a-f8f27cb8ee58.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3832
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a67bc18-15ba-4920-b53f-6dfe54d80027.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:3408
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2064efdd-74ab-493b-8950-1f83940d3aa7.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:3248
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7a08be9-70cd-44dd-b67f-7dfe9ee0072d.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3940
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3436
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                                                                                                                                                                                                            C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:1376
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2872
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\addins\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3200
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2840
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Java\jre7\lib\ext\spoolsv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Java\jre7\lib\ext\spoolsv.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4064
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1352
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d5ba54-2f5d-4264-8f44-cc64f41e0ad8.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1804
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                            • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2388
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764e1ab7-2bba-43cf-b8c3-9f9e03467854.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3556
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3304
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ffe154-fa6e-475e-b610-a0643a32b338.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3564
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3676
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c7b982-84e8-4ed2-afab-505c81ed8c1f.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4092
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                              • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1432
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2655f2f9-8550-451a-b5ba-6bd9d4a73158.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1364
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3736
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b83f4bad-c3e6-4b38-b431-ec78fa4bd7b8.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3756
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2020
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e5693b2-a895-42a4-8503-1a000b3dd264.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1704
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f278f799-e669-4a90-a89d-ad24a99b1e74.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ca6903-f844-46b3-b727-4b781a3d003c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d932b8e8-2240-468c-b1df-2909ca0f3ab8.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ff7587-df65-493f-adf2-836849fcd02b.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d538be-bcce-4f87-97e2-476bbcee65ae.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2493fdf-d86c-441c-92aa-6cb539e386bb.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa3965a-6c54-415b-851f-0fae7e73ced9.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fb4f5e6-65c2-4bd3-8c7a-dd8dd0ff3ae8.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b6ecf56-3b79-42b8-bc5c-2344a4daf9e8.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ea02601-d5dd-45e3-8895-91a51044e0a2.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e6d4d81-21e4-417e-9356-cade703f04d5.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\742bfaf1-f2e1-4374-bfb8-5f0efb437697.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a43d0acd-ce98-423a-adb6-9ca52d9c9ca4.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:336
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\Tasks\lsm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\Tasks\lsm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files\Mozilla Firefox\browser\features\audiodg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e6d0864-4a0e-4414-b04e-5e3986e09daf.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • System policy modification
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00978fee-2799-4c17-9579-f97c3d948057.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8fb25d-06e1-4594-995c-a6bc85d0b29c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17a400d5-7df3-4a87-b56a-42b5a653b889.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b69289-a079-4848-a3f9-31eef4c57f53.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65c195e-c52d-4fe7-ac1e-c2b3200e166f.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f98f65c3-bab4-4463-8255-b72b5ca94ee0.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c820c89-6b36-4673-8ae7-f2b287de9f04.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3280
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce3d7aaf-82e5-464f-a3e0-3539426365da.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22d245c-93bd-4ab9-b9f4-afb668747a41.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18c8c9ef-9d67-4c1b-b595-c3d03803863e.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb93e09-4363-4997-9308-a3af23f1f235.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f197267-a4c3-4299-b150-79a8cff73cfe.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ee4644-7626-4cf9-83c5-f8932b788d4b.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da94ec6d-ba16-4ebe-bfdf-1762a1a75b88.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c327091-3c6d-4f61-afc5-7f138e406c44.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbe6ad39-2c50-494b-ab94-88d520dcb21f.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c46bbfa-7b0c-4ba8-bedb-8054d220a34c.vbs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Default\Saved Games\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Default\Saved Games\explorer.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\Recent\lsass.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Windows Media Player\Media Renderer\wininit.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\csrss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3976

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1f10925693bbf4fa35d0a1b7277efe21

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2d38bd8b9ba5107b9e905e77ec179b369d2d5f7a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c808909af7ce018bc0d993e957e25bbe63aea9ed9746107194e660eb6d2f478c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    add18344b2b66495e6212ed0c6f79097dcb35e64ff3077509d25693156d8d019a027dff1e04c66952af3641599fafab3274ef87a027b60993c069d939f9f9e38

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files\Windows Media Player\Media Renderer\wininit.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f7543863b15675605ca0dd3264d06561

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d607a45cc3aa772e31f2d5558538a9d3fe7b138f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0c0b7e8ea93e5aae2ff44d35ef4f93f2fe113a74a1db5a55d1e5d69506b3f067

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    911b384009b9d98c48f18947701eee791d60bd0254258a557b2769bfad0266194cdb3c58a592788fa7a41fd5041a85b74d59f9f982054770f087c72289ba004f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\RCX7D8A.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    902f5a8ad3b6cccbc70c3c5b1bdf3afd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    581e37998cce83437db5ee432d472b9d395f10ce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    088ba83d7632ad1ff17bac826aaa22af8bd1b62fc11f9bb31082caf87ef326df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    79a9a3ee65bd1929a3464b627a079d407402163cac4f5ff85940994b9439ab2463bb591f472a9283f70605e81c269d9878a7f6fdca6bd9abdae5b72203ee2c98

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\System.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5a9fb15e8fc1d8162c861ca1544f38f0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a7606e286eb27a1a5e95693c594de5c65c5d7aa1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1477a36b-e1b5-4cd9-9369-c11203a3d45c.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    94ddc237ac5f52fe612b279a6058d2d4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d8fb261b8dfeb2863874a8ab86a77382a8520699

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b8d5f7fde8ad466e246f48ff0b5f2032b0199a2b45ea64be39938bb736b59500

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e614213100c4bfb51e8c10aafaef7a3f529f72923d98623f5e093706239f2fd6f9a78525e1c07aeb84a4634407179a10792bc9cabae4f174cc5ecc209188e9fa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\21a781c9-34ce-4a67-9589-762570e27eb0.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3089c47815b937b28f4a5c97f59e8eee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    734f3678338f26b6ad91c5864e27480c4c672265

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    beb1bf686dd8cd883c781cb2c753eb146536e8f65ba0231aa8e5b799c9feffaa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2476e4d6f403d3391eca0575d101c264fc32128fc1c413ef04a859006456844fd628431120662e5a609acb8a842fca1f82a7e30dcc221444616636419de4a1e4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\25cfb345-d5f1-430d-a5fb-1b6925dac913.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b7f08e3a3eecc5a9af6067e9a780d445

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a7816aa3ad08a67090a8a1b7a3cb4ebfdd971495

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9464d7d4d317f80a9245f48f6b98ed6d823a076b4d330c8304e22e6eb3821c48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d346206df9472b6049c862ff39fd529c2f3a0e6cc18a494fb3786c26c4898625602946eff40809ae7219f2cd77c1857e4ac7c80dd122c262b94f584d5148a82c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\291d1841-97a1-4377-a667-b8cba52acf26.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    736B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b15d682a6fa720ccced581a945b927fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cdfb29eac715c0d26974659738b32e298cb51e51

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8c92a3835848525efb0abfa4e59136d940fd64fbc18626eeae96974de6258136

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0782b4e4711ad927e1b7319135285a127ce8fa2e0e82193351498976afe4325d2218a300ca796e87e15134b7f4990710b94f3855af3a334f5da91a3cf9988b82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2d143383-7fcf-4ace-8c27-5d0cb288723e.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    77eae1c1d105a9e55a0517cf80c8e94b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6fab975c03d94152a8b66d25b3c3357a399c2d29

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    aedcd7d3581e95d141b14ba24b391e14665532cb0a2a0602276a993377ee3961

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4ed7b5d12b5cb29dae0bae917ec904a61125d015e7ea142beeac6e4f57d1c0a0c39de3728d5a26075ee44ed6fc51876ab04962f807bbe27c9e7ac2dca189d1a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\3e575393-f82b-4ad6-856d-57b9d3a61a86.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c5d33614fdb3b45208edbb5aac6bbca6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    aa916221cf31f36a965ef54936b0b3b3ed8129df

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6ea0433240069c3e24185ac868c201ab90cc14972acfedd544b5649bae7aba9b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a72c101165f88e382342d6f97cf849369c4f9008e179ac66e96b29457e6647fec30a1054d61652977251c889d27b4f0157251eccef584493336c7467491d6e6e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\428da52a-3604-470b-b057-5902eaa13993.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ba0ff6f13c21f3d9e7b742fad4c96eac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0d9249a83be2753bcc518422087673a007ed6b67

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0b774dfe76f32e4ac4473c4525f5847e888ccac51ce0d95b452492c74d46c049

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4985f4124a7ac792febb0385eea67155f452f454907cce1b0e7da3ab5b7907555dfe72d7378e23d3f2ec55df5861d4df561f446be5af3c0430bcb2829e7f24f6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\4a677a3f-2ca9-4e68-8348-2ece52d293d8.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    516B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b1b323a475c9afc41ca4985a94636449

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0fa05d2ed088dddaa2ca1484881ae9bba51a49ce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    15e59ecf287c710faf0488b4dbdb7b8f715751e41f800cd433235cee5fc79a67

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4f386c0bbeb5190d268da23040221c1d7ad7cac60ca644ae4a7ed536a67f79ff3be58b7366868bc99f86820ab76ed263f2a419b2be7ca1b3239ad9a595ecc223

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\564dca90-8d9b-43bf-85d1-fed76beb7496.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    523B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2c61fa8aea872fc77447f09ecc005f12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9d1f0ad4040289c49d7f0d78f1fd0717dc580ca2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5d90ed02b0fb7d509975252c1a573d6ce2995a0041383416848e92ab915b4672

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    43981a90cdf5632347871db60bd74a0ce8de366991cb83aacbd56fbd78baa79d6d1989c098c8519b5b68468c9d322fffc3378dd1ec71414247652406e320f070

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7bc81e34-14fe-4e02-bbef-7b501e3c51a9.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    513B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ea35266504394a12cbb7e0eb895bb381

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    748a56fb051a9ffaa55fb89b02399e87131459cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6a349bf2301c2b86ae27a0268e85789783c0eec260babe9808cbfab61187c6e3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    033ec671e193aa971271392151a2f6780a9e0e5d53244ac3ee4afc7d5e9dc908ee58720af1a4d02c7853ca7f45a56b1a146474aa58b944d28dd12969e94b4b73

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7fb1eaeb-6187-415e-978f-b68aa8e53c70.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    66947f08603787939ee422f69aa2de86

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c255c77b60cbdec98a0bef76beb98bbd8814070f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c4a27afec8626a2f296e5c053810f3752f8f1ad589339b09d1ba76fe749228f4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    91f3fc04f0df696cba255a33d3a61d566eb18f15c4eff11f85f3e975e2a8e478123f563fb4c3635b904d7cf6d6fb2e34ad8f3cf0055d8070b26adf37a56d087b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\974d9147-ea43-4c17-a2de-ec4ceeb32ca5.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    05ed5d7ce2024a516ee2e5b66bc7d16c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4c3e55eb6b6f18f6fe0214f19393c9c0c3452314

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    40042a78413edd782a3547005facc59a719c929e9b277ff03a65c6e763b70772

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    28709559da2c9e095fbeab2c65cb168501e40d2bf1696ca52352fc01665f53bc81ae2bdab123df7af9f583e5d8c6378e56829fe1dcd94f031b24d2f3f687c4c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\EwmW5ZiuB3.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    226B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    f14661361959be15faadbe237c212ceb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    082540ee7930a64bf774fa68210d7f3b50cfbf32

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    502611aa66faf25fbc9c3b7ca6a22de90330afd8b3ebb3219173bc4f4cff77f5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6723c32692905c7ceb68a332988f03eb7079ab336f8220b61ae1b18def8a204cab559e359ed0da955ae1eefa9b80791e3f14e33d6533e834fbe38146d1a195e4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ab1b8ed7-f92d-46c5-ade6-ff762fc5acb4.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    526B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    449e9b99e79d978faeb4ea9d9dc002e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    df31d59a34057b5c81dd75dcb00db2769810cf08

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    576519056be9a4b8d2911fe3aeafd72f10e0accf08551a9e7f76d119d547675a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    de0653c319098321cd3401e637b0c3aecff42e627a64298be0a60211baf5fb4a05ab2619c63f073502f7e81871113c5ed278f55dacada438b27ac5d0d0eb1f20

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\b0469aeb-e29a-4161-9451-29994f373be2.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1ce6ebc2b4d1e7d74e2ea23794194d0e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0c3c39af37b0358870e95ddf1108f24d9c97ad2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e1e5c6cf140b568629cb44788ca9d42220ad464585759bdb5d68391c1918c31e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fae7ff6ef7406ee4dfc7b9d009f99902b09448513b218d6eca4dbbaf487ae1618a1c05acf5973417fe4e2ad857d629e64e12b314f29b0704b9b4f00bd968db6d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\e1bcc459-671b-493c-bd8f-e919ec3b6fe1.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4aefb45cb8bc0f1eaf3bc20668c767f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d4d304f182280e0b46099ec73e3f2a7b20205311

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b73756e4840ab5bf14dd184f0e342640fb2545238c18d521c75382a95aeaf53d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3b4221986a502d950860aac516a55f1306e9a068a642f955e5428ddd6ef6f4b5a012e5fb5af4efde270795e254d25c7c730d5df3cf2a2e47d596b5be66c02f43

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\e53bba19-005b-48ba-a400-e62434ba43e3.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    510B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c669c97cdad6b1d111abd49c70bdffba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3ffa3c8b796257bb418ebdae49245e1e20165840

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    03570eb84cd5129170607d2ca5f54cb02cf661e86d67f3ef63133dfaf09334b3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    349c393532e6fdb3f708e1dbeeb374b02a7f0bd1bfc445fa6c0d53b4d734f38592de438c07ec4daf41f6168eac973fe26bf66cac9ee68f9973a913be73cf1353

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ee1e55dd-f46d-4bab-bf94-d978cde6df20.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16474ae0a00bbed20c4754950029aa52

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ffa7f904934a3ea18563ee9ad56d26600717eb33

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c00beeaebddd1b7e596d390568e808cbfaa57d29655819c0c4d828aa4bf1198b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    bd661163269ebe96b2d4e6273c6c353aafd26123e8ee927e724bf5ca0c0989678e93566d00a2a4b421cf2aca6b37d74d3434deb0682381ea2a06745da510e1d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\ef105459-3e1e-4d47-9632-0b5048fae436.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    dda1d99a1b4a8b81893e0887da0bbc3f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b2628c9ade665794c75cf484e6324a7ce3443a7d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cbcbf743855503ce684ce9aa8249bee0ef9c1408943c47f9650b12ec451e1c82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ab3c725c40f1fd3433e7a4f6e6abbe47779f1578b8c9e496abf45e6e05379bfab6d368aa7f8fa9140adf240961c963a679fb06602c38be0d66f914d99223d964

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\f2f80a40-0455-4dc4-9944-654a54be4a05.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    6337f4f18ad38add8b95068bb8489387

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e3de6b5622729fd72e05fde5b96b18c5e87488d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9c88277a72964de97ac79c6d12f1d1a7d5d35035b6c8f4d6046facc8d6bc10e3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0966083525c0fdf6329130d29dd43f92a42e791defcd6585ca4818aad2acaf483e9e004cf2cdc7b3a78f95f95477db60bd259f1a49e4f31b0a373ad71c720729

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\f7a957ed-c25f-4329-a969-4602cc19c6d6.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    737B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1bee4425dab93b60f0d50281e505cc31

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8af4238d6aac4605e9f8d8e789a860287f6c8677

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    768e2a3e627d70eecd5034065bc2e7c7e2401485561fe5fb674316073a174633

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    140fab69f27d2e39ce0cbd4f13e05324a10d742f9e567ce6d4fe413cf0160febbfc5ab28ccc60c354bdc0d018ee8710cc5bd5c7a9edb5c7989d95d092e62d5f8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\fa74fcd7-1681-45ab-af55-0c17c74bbdaf.vbs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    736B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2b7ded60cefb283969cf354a777bc526

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a8e734ca1771d289339b3110a814e403caeb87db

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ff8e07dbbf6635ed59f40a9f87a53a01c708f732a157445537765986079d2475

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5866ce8862e5ee059ef21c6bc9803fafa063b1909892f233815bad0c208971809dac5999a894462c533e2d56a71530c3fea6105047e252cb4d45a1f28ad81c98

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpA7C4.tmp.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    75KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    e0a68b98992c1699876f818a22b5b907

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    13d390a087d4855aca2a53419c36a911

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7fd2d45880d625bbebce7e8a74a67950538cc6fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1eed5dcdeeaa69c69c3b935799dc95ffdb97404d0fab6ee8e9e2f2e1827ca084

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    96811206c11d25a38f19b510b87c01ebcdaadc83722b267f38b0805ecd3312e5fe0a5ea2058f0b41439a85e0fcacec21132f5745b97fba059968694b2d18ebf2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/480-798-0x0000000000EC0000-0x00000000013B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/544-529-0x0000000001040000-0x0000000001534000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/544-877-0x0000000000FD0000-0x00000000014C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/860-169-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/860-171-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/884-341-0x00000000010D0000-0x00000000015C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/884-797-0x0000000000F60000-0x0000000001454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/940-932-0x00000000013E0000-0x00000000018D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1064-310-0x00000000000D0000-0x00000000005C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1108-356-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1352-1305-0x00000000012E0000-0x00000000017D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1356-723-0x00000000011F0000-0x00000000016E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1376-1080-0x0000000000330000-0x0000000000824000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1400-520-0x00000000003E0000-0x00000000008D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1508-478-0x0000000000610000-0x0000000000622000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1652-649-0x00000000010D0000-0x00000000015C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1656-985-0x0000000000C90000-0x0000000000CA2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1656-984-0x0000000000FE0000-0x00000000014D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1708-636-0x0000000000C50000-0x0000000000C62000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1740-856-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1792-1387-0x00000000004A0000-0x00000000004B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1848-425-0x0000000000380000-0x0000000000874000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1848-1097-0x0000000000980000-0x0000000000E74000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1940-295-0x0000000000920000-0x0000000000932000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1940-294-0x00000000001A0000-0x0000000000694000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-9-0x00000000005A0000-0x00000000005AA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-13-0x0000000000980000-0x000000000098E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    56KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-4-0x00000000002B0000-0x00000000002CC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    112KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-1-0x00000000009B0000-0x0000000000EA4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-14-0x0000000000990000-0x0000000000998000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-5-0x00000000002D0000-0x00000000002D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-15-0x00000000009A0000-0x00000000009A8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-11-0x0000000000960000-0x000000000096A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    40KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-6-0x00000000002E0000-0x00000000002F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-12-0x0000000000970000-0x000000000097E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    56KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-145-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-7-0x0000000000570000-0x0000000000586000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-8-0x0000000000590000-0x00000000005A0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-3-0x000000001B430000-0x000000001B55E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-168-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-10-0x00000000005B0000-0x00000000005C2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-16-0x0000000002530000-0x000000000253C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1972-138-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2036-811-0x0000000001390000-0x0000000001884000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2076-557-0x00000000013B0000-0x00000000018A4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2076-591-0x0000000001390000-0x0000000001884000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2124-901-0x00000000010D0000-0x00000000015C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2148-436-0x0000000000020000-0x0000000000514000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2296-812-0x0000000001190000-0x0000000001684000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2340-509-0x0000000000C50000-0x0000000000C62000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2380-676-0x00000000012D0000-0x00000000017C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2388-1316-0x00000000012D0000-0x00000000012E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2444-246-0x0000000000620000-0x0000000000632000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2444-245-0x00000000010C0000-0x00000000015B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2444-675-0x00000000000C0000-0x00000000005B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2472-590-0x00000000010E0000-0x00000000015D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2532-325-0x0000000000A10000-0x0000000000F04000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2532-326-0x00000000004A0000-0x00000000004B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2536-670-0x00000000013E0000-0x00000000018D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2552-1108-0x0000000001100000-0x00000000015F4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2564-1195-0x0000000001300000-0x00000000017F4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2572-570-0x0000000000510000-0x0000000000522000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2572-569-0x0000000001260000-0x0000000001754000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2644-701-0x0000000001130000-0x0000000001624000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2656-650-0x00000000003B0000-0x00000000008A4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2668-536-0x0000000000F30000-0x0000000001424000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2692-799-0x0000000000200000-0x00000000006F4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2708-584-0x00000000000F0000-0x00000000005E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2720-1266-0x0000000001360000-0x0000000001854000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2816-231-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2816-230-0x0000000000D20000-0x0000000001214000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2844-605-0x0000000000630000-0x0000000000642000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2852-279-0x00000000000F0000-0x00000000005E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2880-447-0x0000000001330000-0x0000000001824000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2924-712-0x0000000000180000-0x0000000000674000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2940-774-0x0000000000BF0000-0x00000000010E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2960-690-0x00000000000C0000-0x00000000005B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3000-785-0x00000000002C0000-0x00000000007B4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3108-973-0x0000000000310000-0x0000000000804000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3184-1277-0x0000000000160000-0x0000000000654000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3200-1288-0x0000000000110000-0x0000000000604000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3396-1069-0x0000000000320000-0x0000000000814000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3404-1184-0x0000000000B90000-0x0000000001084000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3452-1119-0x00000000001E0000-0x00000000006D4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3456-1289-0x00000000012F0000-0x00000000017E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3528-952-0x00000000001F0000-0x00000000006E4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3536-953-0x0000000000590000-0x00000000005A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3640-1162-0x0000000000330000-0x0000000000342000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3640-1161-0x0000000000340000-0x0000000000834000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3756-1173-0x0000000000B10000-0x0000000001004000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3812-1047-0x0000000000C90000-0x0000000000CA2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3896-1140-0x0000000000620000-0x0000000000632000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3908-1058-0x0000000000CD0000-0x00000000011C4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3988-1006-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    72KB