fe8d19b219e7ea3cf17d747932ecba2a45ca5fe0573870f7f0fe31c7726b074c

Resubmissions

25-06-2021 19:12

210625-azq22fkw5a 8

17-01-2021 18:23

210117-eysy64wk7j 8

30-12-2020 13:34

201230-vpylajm5p6 8

Analysis

max time kernel
150s
max time network
115s
platform
windows10_x64
resource
win10v20201028
submitted
17-01-2021 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorrorTrojan.exe
Size

2.2MB
MD5

88501d015f58ab6c33b32f78324de059
SHA1

83bf9bef17b44940710a32939bff0e10e7d83f9a
SHA256

fe8d19b219e7ea3cf17d747932ecba2a45ca5fe0573870f7f0fe31c7726b074c
SHA512

c03583a63f2cfa17649fc7abaf398ea7f121be191d8655bd253b78747be551bed1497f9547d9446747a7906ebd733a24c547e61d1ef56788b105cb593ea823af

Score

8^/10

aspackv2 ransomware

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4116.tmp\flasher.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\4116.tmp\flasher.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\4116.tmp\screenscrew.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\4116.tmp\screenscrew.exe	aspack_v212_v242

Executes dropped EXE 4 IoCs

Processes:

CLWCP.exeflasher.exescreenscrew.exemelter.exe

pid process

3508 CLWCP.exe
2060 flasher.exe
1408 screenscrew.exe
4288 melter.exe

pid	process
3508	CLWCP.exe
2060	flasher.exe
1408	screenscrew.exe
4288	melter.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

CLWCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "c:\\horror\\bg.bmp"	CLWCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2644	timeout.exe
5108	timeout.exe
5808	timeout.exe
676	timeout.exe
4564	timeout.exe
4920	timeout.exe
5400	timeout.exe
5692	timeout.exe
5116	timeout.exe
6788	timeout.exe
208	timeout.exe
6120	timeout.exe
2672	timeout.exe
6336	timeout.exe
6448	timeout.exe
4984	timeout.exe
4384	timeout.exe
8048	timeout.exe
4392	timeout.exe
5460	timeout.exe
5932	timeout.exe
2420	timeout.exe
5980	timeout.exe
6784	timeout.exe
4484	timeout.exe
564	timeout.exe
5640	timeout.exe
6168	timeout.exe
7432	timeout.exe
7536	timeout.exe
3892	timeout.exe
5284	timeout.exe
6364	timeout.exe
7008	timeout.exe
3304	timeout.exe
2904	timeout.exe
7036	timeout.exe
2576	timeout.exe
424	timeout.exe
4800	timeout.exe
6304	timeout.exe
7272	timeout.exe
3900	timeout.exe
2888	timeout.exe
2264	timeout.exe
5680	timeout.exe
560	timeout.exe
6952	timeout.exe
4436	timeout.exe
6672	timeout.exe
4144	timeout.exe
7380	timeout.exe
4500	timeout.exe
5992	timeout.exe
6056	timeout.exe
4980	timeout.exe
2680	timeout.exe
4560	timeout.exe
4696	timeout.exe
6392	timeout.exe
2992	timeout.exe
1020	timeout.exe
6228	timeout.exe
6504	timeout.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cmd.exe

pid process

2456 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	cmd.exe

pid	process
2456	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HorrorTrojan.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 2456	756	HorrorTrojan.exe	cmd.exe
PID 756 wrote to memory of 2456	756	HorrorTrojan.exe	cmd.exe
PID 756 wrote to memory of 2456	756	HorrorTrojan.exe	cmd.exe
PID 2456 wrote to memory of 3508	2456	cmd.exe	CLWCP.exe
PID 2456 wrote to memory of 3508	2456	cmd.exe	CLWCP.exe
PID 2456 wrote to memory of 3508	2456	cmd.exe	CLWCP.exe
PID 2456 wrote to memory of 208	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 208	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 208	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2060	2456	cmd.exe	flasher.exe
PID 2456 wrote to memory of 2060	2456	cmd.exe	flasher.exe
PID 2456 wrote to memory of 2060	2456	cmd.exe	flasher.exe
PID 2456 wrote to memory of 3892	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3892	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3892	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3908	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 3908	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 3908	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2644	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2644	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2644	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 1540	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 1540	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 1540	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2576	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2576	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2576	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2136	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2136	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2136	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 564	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 564	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 564	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2932	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2932	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2932	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 3900	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3900	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3900	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2716	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2716	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2716	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2428	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2428	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2428	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 696	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 696	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 696	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 3800	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3800	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3800	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 3184	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 3184	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 3184	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 2888	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2888	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 2888	2456	cmd.exe	timeout.exe
PID 2456 wrote to memory of 1408	2456	cmd.exe	screenscrew.exe
PID 2456 wrote to memory of 1408	2456	cmd.exe	screenscrew.exe
PID 2456 wrote to memory of 1408	2456	cmd.exe	screenscrew.exe
PID 2456 wrote to memory of 1152	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 1152	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 1152	2456	cmd.exe	WScript.exe
PID 2456 wrote to memory of 424	2456	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\HorrorTrojan.exe
"C:\Users\Admin\AppData\Local\Temp\HorrorTrojan.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4116.tmp\horror.bat" "
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\4116.tmp\CLWCP.exe
clwcp c:\horror\bg.bmp
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3508

C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:208

C:\Users\Admin\AppData\Local\Temp\4116.tmp\flasher.exe
flasher 5 c:\horror\scream.bmp
3⤵
- Executes dropped EXE
PID:2060

C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3908

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:1540

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:2136

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:2932

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:2716

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:696

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:3800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3184

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2888

C:\Users\Admin\AppData\Local\Temp\4116.tmp\screenscrew.exe
screenscrew.exe
3⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:1152

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4060

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3628

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:2848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:2308

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2264

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4128

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4176

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4232

C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
3⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\4116.tmp\melter.exe
melter.exe
3⤵
- Executes dropped EXE
PID:4288

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4344

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4424

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4488

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4548

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4608

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4668

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4728

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4788

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4848

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4908

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4968

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4980

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5088

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:2196

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4300

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:2460

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:3296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4468

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4440

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:2844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4712

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4820

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4944

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5084

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4228

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4268

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:1844

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3300

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4856

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4152

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4104

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4724

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:496

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5132

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5140

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5184

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5196

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5268

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5324

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5332

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5444

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5504

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5520

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5564

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5624

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5640

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5744

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5812

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5864

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5924

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5984

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6044

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6104

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3876

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4380

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:1872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:816

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5272

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5404

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5540

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5644

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5776

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5920

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6012

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6140

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3424

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:2092

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3896

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2420

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5068

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4412

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4772

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:1076

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4660

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4140

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4452

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:904

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:3244

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6160

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6168

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6216

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6280

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6292

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6328

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6384

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6440

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6496

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6560

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6608

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6664

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6720

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6776

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6832

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6844

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6888

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6944

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7000

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:7008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7056

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7112

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5592

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6188

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6296

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6408

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6508

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6624

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4736

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6860

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6972

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7068

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4816

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6324

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:6364

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6588

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4144

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:4872

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:6996

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:7036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5728

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:4992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5276

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5832

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:6376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:5752

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:5064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7192

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7248

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:7272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7304

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7368

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:7380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7416

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:7432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7472

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7528

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:7536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7584

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7640

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7696

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7756

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7764

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7812

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7868

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7924

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:7980

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:7988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:8036

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:8048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs"
3⤵
PID:8092

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
PID:8100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4116.tmp\CLWCP.exe
MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\CLWCP.exe
MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\bg.bmp
MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\flasher.exe
MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\flasher.exe
MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\horror.bat
MD5
3255e8bcd675d756d558dc26bb82620c

SHA1
ec7466b0bb13bf2c88504f01e73856e1b2887415

SHA256
10470be0fd23195dd21893584409dff05f6f58f48af5ff7106368ca12aa9e591

SHA512
7674e4295efd95d3cb8a6f2c00a4b5d68e6f8fef233a56aae66150d8037899943ac93066601d65bce358719e174d1d21731eddbdfb830d5b08055fb2f8f292cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\melter.exe
MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\melter.exe
MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\scream.bmp
MD5
71da1eae2be419d58f50b9a4edecd9a5

SHA1
f85815f8184e7aa1a0062da376ab851870466d66

SHA256
fa03cbb06cd0a6c4875f5cb770476ebc6947b0fd366fd779bfd4c9f8b0899536

SHA512
be46a45de3d966a02c74218357d288948292b0e772a6a18bfc4c5d0b805af050d0044db18a60913cb458b5ed4f2c4fa913621984d412fc5a0edb3a0b57ee9fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\screenscrew.exe
MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\screenscrew.exe
MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
409d5594313fa391006f2692974a18c2

SHA1
4227e8cb72e23920c2318a02ee164711956ed59a

SHA256
007d3ed02752217a0b412dbfd79db2e295832778c6dd5125ee385980c218f1ad

SHA512
8c69c9fbdc6f35eb38d393457d5469b1c3fe4f74feedd933bbfe53e3747a091492ccb85780c8c27078b563efc73da83df855c54111f2cfd14bd5b708ef2393b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
b1cd41b60bd87ec730f0fc06521700f0

SHA1
e9a538a80da7d07260252b902bfec1b0d7663856

SHA256
ad20e8dd8bfeaf0fe3959d8c19092bc30030874007dbb511caac317468a0f077

SHA512
1834715069fadfa1e34408f7fedb5218c1e90cd6e57c4129334221a1690cd89c4d6a81be2f514265438963eb3dc512239c1313e9af7db9cfef4f0914c47f23ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
54241f2a7701dd70065815b34565f2bc

SHA1
ea5158db76e90afd4f0cca34fb7fac7b3e5e2f41

SHA256
fc6db9e988396c0da3e0a3b531133b0b8dd73894c1b52adb1a1c58bef1afb07d

SHA512
f891953e8537fd616804b1c7e5a75577d09df6cd52c1ca73b642f4b70fde6aba2d8deb6f9929ad3196c06a7ba78f9f9bf36d726d3b939f24d3ad7c4d547d4eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
da3bf1824ffdec132ba4668afb514b70

SHA1
7c769caf8d7fd0e689c3f00b42b1cd4dcfa16eb5

SHA256
f7ea606406339edc1bafe782a17fd7374f8d8ddf6437ec2795272555062ae3b9

SHA512
708fec8c9810ff6ce7ea7fb579588b4b6b2e3f06030e358a41b81f0ba6bbc8424c82738c2c17d0c89141fc0d4255417886bddd66f5acfb83fdabf2ee2345f417

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
fb7e3d8e246fccba0691520f021a29e5

SHA1
f7dd46d5e4eaf0eb9b82e0c44328502a35fa9a0f

SHA256
2e4d56e2a18e38191ed5ff788144a1507f2cc8747a3c36a76566e6a26c5ba299

SHA512
96ab112b281b6320e75de74da3451d1a240c187cc490a390bd0ac8456e27b8f2a3ef0f6333dc49a08179413a7d9bd32add7387b16126bf6ceae14f9f318a01d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
991801c5e64a1e6ef794e63980180839

SHA1
e52aa267e35d51b6403eee956918f2e490c8e0cd

SHA256
30f27552b5f00435c763d346b7d072c5b1205855d859a41d5c344d87af8c4c86

SHA512
f7852e57dd770ef7eced8f6ebccb593c2220ae00149ae3e66e2f4d7e836f587b18f64378c6f29e060fcb4b00f820b4362f81799bfca22f58b71c10e114c2c02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
4d7e252f9ad879ae120afca16aec1072

SHA1
a82b5a07d6a16ad1bc1af6fb146c30aca35e98db

SHA256
049e19eed4537f0afaa800a2eb87529b5bc46a0f4a9a5ff6c66b2a92d0b47af0

SHA512
242aed6c0acc9ebc13eb520648d791e2b30265aaec3d07ff5d9eb55a5c142d9ca0343958a5043d921776e520667566f1ac0109f88efbbd3050c8feecb63b27bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
af698c3cff92a580337b9158109e67c8

SHA1
0dcca6caae35119770fdd7a0f15b0a61be5627f2

SHA256
8e02d32a7171ee2cdb96ebe328869b0f9421f100917741173ca1ac40da38ff1b

SHA512
b3e0e3bc3f9919ce0b09f12bc0ff0248a3e0ec7acf2c8c944d77bf7686b0373c9128ad9c20b5d83b4df5773f8537838c75a69131aaba07226f5af2990af4796c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
de98a171c34b769343152b756e1e63a5

SHA1
399ec2eb89e53419fd0d2a028a6c4bd36a837fc9

SHA256
3bfe5ff28b5c41243719457fbedd50c0c3e6cad423081d51996d868c83012d95

SHA512
52e39ee1b5b330581787b44004e306c570a0629c4e9cb5df04548e4546c81633ad9ddfae56b5f0cef9d9fd869c9c14ea3c808de28932c8d6ef767793c287824c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
68c30b849a9499b64c347982ee7b58aa

SHA1
c6ae5aeab7396c3ba373182f23e55c3cfeba8f7a

SHA256
d286d63587d61198b63bf05a52a76fe0a3f6e6653c97c1cc8f5afd52c6682162

SHA512
bb5f294433345befe13acacc2afed3f3ba05a89409470642b23f21157f4cb74368899fffcc1ed810de30162946b31981c973e921309469031bced0562b3de077

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
7bcaaefb3b73d9981e1908a57cc32ea0

SHA1
d3c5982bb21a069336bdbfe60aaa6511f8b9bdc3

SHA256
b22103f675929b4fda8c9a8b1ff6eccd584df700a9d00e879087195df02fd304

SHA512
211411a4abb9126cc442fa0ff999fc2120db683266f71d08f063b5aee70f3f1e0e2918588df0d80e13aed370567240a447dd67dcef8c6f45a803c080ef4bff2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
7d8c5e2d3a6973f46c3f6f694a9f1eb0

SHA1
9c266abaaa9b87a3501f28860dc2bae4716a4033

SHA256
5c3e7f0fe2782f227cdee4a9a43e78eb80362aad9032e482f6c080687eafa07f

SHA512
7f5395645ec2889765d4cde8392503203b714f15a50260034577d38608424b1bfec0259a6b72d46e67c15c6769a6008b56f4fc19c03cc7edc4e31cb4d6747d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
48ecc6b83e4e3d6b3823bf007401932d

SHA1
7beff25b8f5ce5cce94d7b778b648c496634d939

SHA256
46c96f9cc2a972fa3d8f0bbbb304032570661cc54af9a8dbc2494db562983cf2

SHA512
2363044d38c1ee7623bb82635acecc43debee0619d748d87963e7dd91b9ed6cdd63d4e9d80d1c06e6b55125020c2544b0c8df52e31de1b8099e1cbc981dfe47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
d74db7e568faa960e51772c709c24212

SHA1
2d8c29176eb69a4c4b0456e6315bdf802322dd26

SHA256
0c0edf1e8febcf341859b56d397d5521c8e61fa7fdef9c762875bc49c5bc5a61

SHA512
f24c0a17447218c926ff07bcb8767441fbf64e8d933aaf4082a1749a64c792656276d00cbd40c2cf3ebde89437f7e6d3f5eba6f0f2dbb99979a9e63aff3d143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
b2f0acd6913aa403681e2388555a0fdb

SHA1
e9239c1e03efa257c02136686ef193d8f30d9d09

SHA256
93d7f1fd8df9105fa3b87968bcd1827ab4ba18bf1f4893e6507365363dc9ccab

SHA512
da519be7fd15f30ee5babcca95a622fe6aec55e48ed75279ea4e23a2d663f2db5f87bb7bca1feb8fc5812f6f62337536f55fab99f642634b226d87e62192dab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
afa863f380fa63cac2bfcbe2bb9d39f9

SHA1
f547af2159147d000aed2f1164fd9a3b19ae658d

SHA256
54e3423ac4fad5ae35997454059192919cd0f8d22952c30f0ab54e726610a870

SHA512
29d262c86fd9433ca41235410047cabcddfa25d349737d9c2213aa298e168b6d693c26d624251e6c145b03aecbf759d714c0b8e3823c4fde394e68a528ba0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
361257a319f9777bf17c3edbb31e29df

SHA1
96bac284faa9a3b353331074fa71a6049969ebb3

SHA256
f90ab8d6774e335f4f5d71c269f825c9ff65738727352e116dcc92fa570ba382

SHA512
2913b7bb3189cc9482399e63caff9aa13999c679b5a69ed3f2569169365eca6264630e69f1f6eaee8194936f04e0a6e65a6b37a87f922ebad282f33fa512094a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
9cf637f2d19f937d32d6a0d09dedc503

SHA1
862b977058eb3475198d042d8a78d5fe4df659d3

SHA256
47acbd89f9dcaa19ea80681b857027bfee5d7acde30fa5bc9274cbd45bc338ae

SHA512
8bdc8f45189aa1fd6dfe9d806f748cd79d1c44a8ad5eb9efcf0efe311d23a4cd70c0a9f94755715022092789a9f6c398c479719676efb253523914ad3c4c1443

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
196bc4faf6e3c7de32b318666b59d835

SHA1
9211ffc2c342c0d1b21577d8c394c7f3b5a02953

SHA256
991c26690b4ff39e0ca1c071c7066d97a24e7a0b1d6d6f947621d9cdfc26be71

SHA512
fa67225f853ed5b958301e05aa0987f5b884bb813896b00d4e8236320d1033c5e7d996767bf062f9b45c40de7ab8221d8d7eb4464518d56c4325a0c27d61d89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
3cf2d97be847b632fe8b5ca48eebaa76

SHA1
91f2517146d2fbe28a4f1a645fa4b62bf0e47731

SHA256
082bdb6ed66ba235f1c74449228ea7aae59f1021fff0f8ac4080af9ba54ec986

SHA512
6b9c6efd103bb1dad1a626764e3f203c1328ab9765c5594a5d81c386bb532f96ea8f17163317160cb5380f10ddf6380e6a6aeb3c02fbd420a970290a11812326

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
37e6e81de8d06728accd45e343d39af9

SHA1
17cc9e4df94e9520a0b6c9bcb27497ad0786fdcc

SHA256
4701007b86064ef86640faf3b04f9755e7e4187b2c6f56debb0e82083fa4df7e

SHA512
077021a7eb4d86d65b6c6408b80a7cb54ba705c4e8c2aad3915aeea95ddea8af9388171b9895455539027f316f18fc8f3b3b1f6a33a9f1e4ad84db547ef2606f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
a8e717313e04e86508a09113873ee600

SHA1
147c07f9af192bc8571ce8883e93212e60d92062

SHA256
84a32e4c620a7c946782ffa52c556e2643f27f65291879a208f3235f5e882052

SHA512
8fcdacfacfcd1eacabe13e68acdfe8c85f239924abc1ef094de41c41b98c1f50e2a97875c888b2b12609b9fb1436f652e031f37441cc14ad4df2670a45210e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
97615269cc3b1a0d16420710f09b1665

SHA1
ef958de28ad09328c711a12057700ae7f1d7f407

SHA256
9cca65a5bad51224cd759c59f8983c126062ec691a54a560ba6c9ef2060ce5d3

SHA512
d6cb2d7d9a681c5dc4b597106c8ba135a83b81cb4973a06dd8bb4b3d3485c86f35ab5dfc0d2354c391263e5c5bca243150eee0cdb747f87404c9c74fcd6bd348

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
9a5853b12ed96dcbcaef28ef71a82303

SHA1
b4bc55ed74d790f23a5623a3f86b6f1e52223685

SHA256
db8b53dda66688dc3b585e113d69bf598461b06819d412b0e0295ebf38e283d1

SHA512
2c301bc3dcbebe636830c4a2d246ca6c65bbd27cc27c407b2174786153ada1e4517875bb021e73eeaa9e95e0181b2dedad76328789e2369a128ef672a7b405e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
8e8ef707b2a6b3b59329fe54786610f1

SHA1
505c43ce22afb6f624eadc8e6959e5019984c83f

SHA256
b0c4654a97f322afe2665bb5ca7afacdd33dfae8c66278724afbd0cd0462e8e2

SHA512
52473df7ac4d4e2b1dc23e11ebe28d74fb1a3ba7f5eb4f9334b30bf7828c677b484e1cbc5b0ae31b96f5c4af3e982465e5f87c4577f57f607e51d87b77a3e064

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
0b758b011d5c4717e3c5a8f176b73a40

SHA1
2449ef4484bdc4370beb07ec81f01fe34e6ea0be

SHA256
51b3982b21e029cd85c96f6eaa2c930ace8774b7cc30993693109a492b01882e

SHA512
4348c24755424323491396af879c0678792502f4dd3f12d04e6c2f2a52687dde157c5d938f86dc0806d6fb452b4782139c08633a3f40a341b14e60093b9d5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
a783a33558006832375a545c5d1a8216

SHA1
56b9074627d0381b521babe2f7f05f27285b4ba0

SHA256
994e22a6aab1be8386e3106b0b3c20bbf3e230801e0cebe4e5e9fc7c5335b79a

SHA512
05a2ecc82ff4e38ce52fe7c35475ae8bcfea948cdcf76c36da9287bb9f9770ed09365700f85b09014ae593a8fccd6f14b9e2e3ac6662991cd0421a8d82a2cc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
a7c7a00213de2441cbd8304d0f5e8643

SHA1
4cf840d17c37f87c6cfa7aa77b560fa122d1874a

SHA256
b57cba759bbd359da77bdf117480c54e93d4a2e3f0f0736408bc51b0d5ecfd6f

SHA512
47c884059b50d6fc840a5b2a6cdc59e134a761693414b69722d43dd052a1a49c91051dda8fb96d89f4895cf4568f91bbb13e7d28ceca96ab255898f237219380

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
e2d55769f88d805955fd83d72f99f8e2

SHA1
53817f7a646592945a4f203dde251cdbe319714d

SHA256
d631f5e9799373cb5844a737eab1f23083d259f46eb42fa49a4c836afb80051c

SHA512
9ae5dd566c3f2127d8f7ae9aeb938c1b05f41735c6347a4efda8336aed9f880f3cea7d869fc7aa0a89cff92b7cab03c7571046e88531022c14727122c7f39131

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
2a939e50acba39586a3cf5c641cc03a9

SHA1
f230d4d6fe6d91a3075ad73e4771d11de24e8e2d

SHA256
25371058afaaa944ba09225c3a1d2ab97174bf266ea0f8de32065a1722898f93

SHA512
d824d7d579098c225ed54fa2e6b4a1352933acdc0ebf7235b50dfd40a14ca133e86883fc538a7e38946382a6a40d92fb7b2664b126b016292ba8764bb2d8183c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
0ad323dc58c318e83945b33881ae7901

SHA1
4c9b4a0460d4d5bb01f241252408e6692392b3a0

SHA256
48bcd502ae768b78f917f8bfda2e0b0c5532b69b535598fedaad23d8d240c2cd

SHA512
1808780314fd74f6d7f90363d13e86359673ba1ac04d0ae14f9ad39b90c23b6b1fb68bb89890215b853c36a0f1876e68c7b630843f984c93cc4c090c046ac225

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
5837f999d8aef4a919249c94048f964c

SHA1
aae1b7eb106999aa35fec101989987fe525ad04e

SHA256
e1c4221d4bc89c80c9c1f012333aaa195809163ff169a9fa7d38af1a7b3c1d19

SHA512
73ed2ce347327005e1aa058fe9c5bcf41f7342c3d1540b4e6c068c8346a8d39ef78ebaf1c4463c47996c6895afd5e33abae8aece6bafd32991338ef9a5967a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
a956f0a0388f58eebba95f0af0883174

SHA1
0108839466e4be0204c842b0b0d47c713875b388

SHA256
e7bc617effb234908606852d924d062cdd7429c515be6022d8ed9ca57f5d60be

SHA512
96a76ca8f1849c8cd5266dc94be128b466de51d1e60bfbfc1b5a586cb185406474cc509ccc341679d185de847b3ddf31687493ab41bf12033d2ba3ff37d2d78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
8b9a10eecb324af785b5a8fd4d2cc53e

SHA1
2b7f3f559105200b55336dc5426c4d5601ff1e7c

SHA256
56054863fce8880ff9cb27aa99a05c6360b2ef1b560b659eb51034309a4ad375

SHA512
36dd05c5a1f11b7cd4a7e4e1017e1a0acc3a910a495959aced4f12fcadaf9af1c3d1049639ca78023ff244c4cf886311978156a9ebd688358f0ae92976fd3695

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
a9429993394c8a3c08b648a295a05188

SHA1
50e9cbad3e0681b5ca8c74713622df5f724127ee

SHA256
35c347f9da20cbc03fc27cdc96e05bac2b93aec81bd2254a5676063e5431671c

SHA512
33e79d4679f4cf4a01c8c3fbed3726c9ffddbc6b98818492da161b8a08f4220a7f791884df22d5ffb641461fd10c543282080c72bf848955a1b22a4f8a30c986

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
ab00fcb52b0b5128cc9ac6c81e80f216

SHA1
0c9f78353faa5708fe3fbdd73399faf38e32e5d5

SHA256
685d3c1ea3a6d1c3064fa8defcbf454b400a6ad768755e9c602d5778b1749444

SHA512
628831535ef5aa2c054d93577e758645a32de91e29e5ef86460a48a9dfa52fdded87b11cf5621c6e16dd788492597578e93fa63b86e3174489b4c077c6697e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
d3e659266690c8101d096c3c2bb5ff5f

SHA1
385bdb7938eef61c2401c052a28ebc681c2ec273

SHA256
d24740d6a33ac400e49ca460cdda42c5a4f48d84c67c29188f59a19c9bce3b78

SHA512
6f8332b7110015f0af23886d7e0ca6123f4604cfc227ad87d7544862efce4df5f3b65622c95619bc1ef2f011428987d7e5840cc6531e11270d0156f12049744b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
bfa6ed577ea2d33adbac11bb8a1af599

SHA1
2cc0cc0e62cc649d936dcdf6782ef871f5fa7b92

SHA256
f90f4ee8b0d92918efe11494868b7ddb387ae3b7c4e7d773599e160cd86d0cf3

SHA512
3dca7d607f33d391e0cbc27d64fc317e2c6784e5e9deb9fd2ebd80ee51280ace7306d69408663e1b70cd0f623a33b6291244a1e55312f3ae4620687544d12e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
b4770e5b3011fded9c8e3ec52225adb2

SHA1
3d775b203b9b2efb7694feeac3bee5bd1b6510f9

SHA256
c532f0a5009e1cd7987591d6646d8677552e09240fc52064b102bce7dd23d002

SHA512
15db8e7d4c75ee74b03c737137d93eceba94955b96236446f6a1ffa065f60dbe92718af4fbc03abd7527c2ad7c3294993f3e354fe9a75df1aeeb519e5f040d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
5ca684fce6f23df3abee73d31a80c7cc

SHA1
19daeb7fb5962b1019029bf1ee655a114af02e35

SHA256
5cc739dc15f168177a5fccc9c0c3ff4bcd63137e75b7b749dad5fc22de566e6d

SHA512
c771b13ee04919b65a50219151023bd34977ac3f45b925926e58f784b3b271212942079ffbcad277dfc87d8719caca88e47da9ee91950e1042ec38caf53982ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
674c791c5a7523a73c3b100540c22488

SHA1
c89d2d570c216800d002ae1fe87f162ded02c6c7

SHA256
15b676ec053e4b9b7b2115c7c2cb423caa0b2b1dbd0ca74275240122bb49b709

SHA512
7ac720a7237011fbcf3bda3563d13fd8f1d3ecbc132abf0b78b6f96563482e191435b3af81edee71cb911bce16228eb015c090ad34482950081a484bcfd742a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
44eaa8026b36430bc493958c4d4fb011

SHA1
ee94fbd3111eb61ed5fe1287b87a53dd3ee739f7

SHA256
c59cb0a2bfcdd5a845c6e9d46ba7e5b44e55bbd392d6ffdcb919d7b818a3db95

SHA512
ac01aa35a75882268aac6c4b76019d9e77088d81592e0a7578a5a874a1830f47e821677a7d91c9d2a172e774b08b37605d9cf7a4fda6b61f75373f2e1c502a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
ec07d180c3bf7cd1a04b3aed8f228428

SHA1
593e7aacd3124684a0bfdf59efbb7743e24f6fcb

SHA256
bb70724c8a27aafae8dfa1eacaa0be53a0cbf6780b88f8f9ac8c4f4da07e2e4f

SHA512
8ca7ba665a30149e2c1656aef3e8096e0e9aaca5bae597930be6b520d77a818a493526630afee3011683c1795b13329616b8d05faafba9b3494714142d9515cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
c0a0b7933c67f49ff112cc06f56ce2d0

SHA1
1492fde4a1ebc55d80763e9892a5a5570b5d5edb

SHA256
2a5e97b781284302a4decd5dbb15a67f9ab62d8e3b8039f73a375d9e189f9b0e

SHA512
59c671f9c1c1b1654f58d9f14d748dea0256ceb700f212ec48132cdc5d8dfa6295f1677e413f3f3ab960dd7b805e4981d6e3f518d1f3a28dd6228a168cd4fd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
c7360b2e1a5183c00426413ba1cb815b

SHA1
1ead66097663a5b7e5d97e1d5193fcd8fe4dd807

SHA256
ac7c9f65c6242bb788f225d3b7e423ff1569d012e520fefbe3007607b62ae209

SHA512
0157c9513dea88cbde03c4ca0f75afc7d478c73ea82afbae6f3d2ccd43bdea4306c2e85bbf1b499de741ff0d6e6243df54ccb241f94a14f9408adc8b9c2cdb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
14f58bf27269063c3e61899ba87b8840

SHA1
53681305d7ef778c338f1fc0aab789e0e42d8aad

SHA256
e86907e4cbff08b4530e60eb82f146ea4c401c86e8765ecc0de8935bc79bf70a

SHA512
e9ca93cc6d37a448d819a196b62e799e8097de0db2b01519e2c4681ed43a6510a45182f39925116d7fecd2c9d0345b5de698b0c355a0dfb26f2cc16663f289f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
6506456d42adfc15daaaa7b5b8161415

SHA1
4ad95a856374e188db2338e64e827f951bebc74b

SHA256
fba0d0cf1bcc3279880d1c7f38019bc4857c8717c6e1c15b1f2758b3c1a65023

SHA512
b64af74dd103452a3fc79847ef0d5080a961481f5057026864a32e8624bd56e7f6e1876b83248d4b765c2287c384f77214c10686f6f5c5abbc61afb878bc6418

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
45a3fbdd4119c9356deb8f2953f78240

SHA1
b715b288ef73c56d3359f1fed168dbd8de0ec8c0

SHA256
7539d8c6eac5433d9bdee317ff0e1843ea1d4612b5ef2eb48bb043694918422c

SHA512
a85d2226379c6e66d5e383e61a0ea6dc0c9c092f490ebe2d727b373312c08eee19aedd9479d126dca095fcc878744452a2a0685dadcc76de5f44270baf197fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
02e5d29bea9cd9f77233a98e8681c514

SHA1
7d3041ee9958a5b511cb0e6fbb49323a1010f724

SHA256
3354e84065360fb8ee72254e6f3738d8f7d526f6f2db6bafc9a3e1c694dd55ba

SHA512
7d376d919f37b118ae7ccf0cb3799953adca558160a969273af1160e58d15ff00ad57cd9d0753c564c494315feb504ec0e6a41c745944e114b973a1446fae8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
fe6cd62fd7c03e6188687b3fee69d8db

SHA1
821d9470292341b236303b50cb09051f6421b27c

SHA256
02f7d3423add9d38845adf366dc3f877fa7b7ddb6a3d5e697206021f03c1e581

SHA512
f9b1db530c775d5040ce75db21f299943ca3b457626540c96749f66404e9b36148c4356c7a44e019116adba247be8d532f1799bde16589d700f3759fc0c28b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
718680d764769b2ee12caeb0f784d91f

SHA1
104c550d843416b99e1098e531d540f586c27408

SHA256
0ff305e5518bdea055b67f52d5ff8e60f43d76f936681fa1807e2081fc652cea

SHA512
d6c94d22453ad37b6d5a048da56806a8f503c58c385c37a9bcda06cc8580d567762940f40309a5c9065e7e3e5933e893ae0411c0fbb11560a5035bd1c8a23415

Download Submit
C:\Users\Admin\AppData\Local\Temp\4116.tmp\x.vbs
MD5
403802fffdcf45b6476d6d35a615a2d8

SHA1
63bf3d07ffdb58946c7f5a02ed5d50582eed0d18

SHA256
39c75eb124b811133a052a6e48f3be0824d45b9ffa1bdc9904320a7e39d56d99

SHA512
3b302ad4a363e373516d61511f0dc0e1331f036bf12797a628c7a6ebc92e78ee52a737a7cc4f709ea302635636f963659313876a88744ab498fde5d8dec3a171

Download Submit
\??\c:\horror\scream.bmp
MD5
71da1eae2be419d58f50b9a4edecd9a5

SHA1
f85815f8184e7aa1a0062da376ab851870466d66

SHA256
fa03cbb06cd0a6c4875f5cb770476ebc6947b0fd366fd779bfd4c9f8b0899536

SHA512
be46a45de3d966a02c74218357d288948292b0e772a6a18bfc4c5d0b805af050d0044db18a60913cb458b5ed4f2c4fa913621984d412fc5a0edb3a0b57ee9fd1

Download Submit
memory/208-9-0x0000000000000000-mapping.dmp

Download
memory/424-36-0x0000000000000000-mapping.dmp

Download
memory/564-23-0x0000000000000000-mapping.dmp

Download
memory/676-39-0x0000000000000000-mapping.dmp

Download
memory/696-28-0x0000000000000000-mapping.dmp

Download
memory/1152-35-0x0000000000000000-mapping.dmp

Download
memory/1408-37-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1408-32-0x0000000000000000-mapping.dmp

Download
memory/1540-20-0x0000000000000000-mapping.dmp

Download
memory/2060-16-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2060-11-0x0000000000000000-mapping.dmp

Download
memory/2136-22-0x0000000000000000-mapping.dmp

Download
memory/2196-93-0x0000000000000000-mapping.dmp

Download
memory/2264-43-0x0000000000000000-mapping.dmp

Download
memory/2308-42-0x0000000000000000-mapping.dmp

Download
memory/2428-27-0x0000000000000000-mapping.dmp

Download
memory/2456-2-0x0000000000000000-mapping.dmp

Download
memory/2576-21-0x0000000000000000-mapping.dmp

Download
memory/2644-18-0x0000000000000000-mapping.dmp

Download
memory/2716-26-0x0000000000000000-mapping.dmp

Download
memory/2848-41-0x0000000000000000-mapping.dmp

Download
memory/2888-31-0x0000000000000000-mapping.dmp

Download
memory/2932-24-0x0000000000000000-mapping.dmp

Download
memory/3184-30-0x0000000000000000-mapping.dmp

Download
memory/3508-6-0x0000000000000000-mapping.dmp

Download
memory/3508-10-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3628-40-0x0000000000000000-mapping.dmp

Download
memory/3800-29-0x0000000000000000-mapping.dmp

Download
memory/3892-13-0x0000000000000000-mapping.dmp

Download
memory/3900-25-0x0000000000000000-mapping.dmp

Download
memory/3908-17-0x0000000000000000-mapping.dmp

Download
memory/4060-38-0x0000000000000000-mapping.dmp

Download
memory/4116-44-0x0000000000000000-mapping.dmp

Download
memory/4128-45-0x0000000000000000-mapping.dmp

Download
memory/4160-94-0x0000000000000000-mapping.dmp

Download
memory/4176-46-0x0000000000000000-mapping.dmp

Download
memory/4188-47-0x0000000000000000-mapping.dmp

Download
memory/4232-48-0x0000000000000000-mapping.dmp

Download
memory/4248-49-0x0000000000000000-mapping.dmp

Download
memory/4288-50-0x0000000000000000-mapping.dmp

Download
memory/4316-53-0x0000000000000000-mapping.dmp

Download
memory/4344-54-0x0000000000000000-mapping.dmp

Download
memory/4392-56-0x0000000000000000-mapping.dmp

Download
memory/4424-57-0x0000000000000000-mapping.dmp

Download
memory/4436-58-0x0000000000000000-mapping.dmp

Download
memory/4488-60-0x0000000000000000-mapping.dmp

Download
memory/4500-61-0x0000000000000000-mapping.dmp

Download
memory/4548-63-0x0000000000000000-mapping.dmp

Download
memory/4564-64-0x0000000000000000-mapping.dmp

Download
memory/4608-66-0x0000000000000000-mapping.dmp

Download
memory/4624-67-0x0000000000000000-mapping.dmp

Download
memory/4668-69-0x0000000000000000-mapping.dmp

Download
memory/4680-70-0x0000000000000000-mapping.dmp

Download
memory/4728-72-0x0000000000000000-mapping.dmp

Download
memory/4740-73-0x0000000000000000-mapping.dmp

Download
memory/4788-75-0x0000000000000000-mapping.dmp

Download
memory/4800-76-0x0000000000000000-mapping.dmp

Download
memory/4848-78-0x0000000000000000-mapping.dmp

Download
memory/4860-79-0x0000000000000000-mapping.dmp

Download
memory/4908-81-0x0000000000000000-mapping.dmp

Download
memory/4920-82-0x0000000000000000-mapping.dmp

Download
memory/4968-84-0x0000000000000000-mapping.dmp

Download
memory/4980-85-0x0000000000000000-mapping.dmp

Download
memory/5028-87-0x0000000000000000-mapping.dmp

Download
memory/5044-88-0x0000000000000000-mapping.dmp

Download
memory/5088-90-0x0000000000000000-mapping.dmp

Download
memory/5100-91-0x0000000000000000-mapping.dmp

Download