Malware Analysis Report

2025-03-15 05:43

Sample ID 240509-b8yk7sbg7y
Target https://github.com/pankoza2-pl/malwaredatabase-old
Tags
aspackv2 ransomware spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

Threat Level: Shows suspicious behavior

The file https://github.com/pankoza2-pl/malwaredatabase-old was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 ransomware spyware stealer upx

ASPack v2.12-2.42

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Modifies registry class

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:49

Reported

2024-05-09 01:55

Platform

win10v2004-20240508-en

Max time kernel

353s

Max time network

363s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "c:\\horror\\bg.bmp" C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\CLWCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "c:\\horror\\bg.bmp" C:\Users\Admin\AppData\Local\Temp\72C6.tmp\CLWCP.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Globalization\ICU\icudtl.dat C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 5088 N/A C:\Users\Admin\Downloads\A employee has shared Covid-19 report with You.doc.exe C:\Windows\system32\cmd.exe
PID 428 wrote to memory of 5088 N/A C:\Users\Admin\Downloads\A employee has shared Covid-19 report with You.doc.exe C:\Windows\system32\cmd.exe
PID 5088 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 5088 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 2188 wrote to memory of 4812 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 4812 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 4812 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\72C6.tmp\CLWCP.exe
PID 4812 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\72C6.tmp\CLWCP.exe
PID 4812 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\72C6.tmp\CLWCP.exe
PID 4812 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4824 wrote to memory of 1800 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 1800 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 1800 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8360.tmp\CLWCP.exe
PID 1800 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8360.tmp\CLWCP.exe
PID 1800 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8360.tmp\CLWCP.exe
PID 1800 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\72C6.tmp\flasher.exe
PID 4812 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\72C6.tmp\flasher.exe
PID 4812 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\72C6.tmp\flasher.exe
PID 4812 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4112 wrote to memory of 5020 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 5020 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 5020 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 2068 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 2068 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 2068 N/A C:\Users\Admin\Downloads\HorrorTrojan.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\CLWCP.exe
PID 5020 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\CLWCP.exe
PID 5020 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\CLWCP.exe
PID 5020 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5020 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5020 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2068 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\CLWCP.exe
PID 2068 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\CLWCP.exe
PID 2068 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\CLWCP.exe
PID 2068 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2068 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2068 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8360.tmp\flasher.exe
PID 1800 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8360.tmp\flasher.exe
PID 1800 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8360.tmp\flasher.exe
PID 1800 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1800 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4812 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4812 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4812 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4812 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5020 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\flasher.exe
PID 5020 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\flasher.exe
PID 5020 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\flasher.exe
PID 5020 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5020 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5020 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4164,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4168,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5016,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5484,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5516,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6000,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5996,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5140,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5464,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5388,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5132,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6356,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=7148 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6972,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6992,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5812,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5448,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:8

C:\Users\Admin\Downloads\A employee has shared Covid-19 report with You.doc.exe

"C:\Users\Admin\Downloads\A employee has shared Covid-19 report with You.doc.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4199.tmp\419A.tmp\419B.bat "C:\Users\Admin\Downloads\A employee has shared Covid-19 report with You.doc.exe""

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Covid19.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=5640,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5444,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6436,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8

C:\Users\Admin\Downloads\HorrorTrojan.exe

"C:\Users\Admin\Downloads\HorrorTrojan.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\72C6.tmp\horror.bat" "

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\CLWCP.exe

clwcp c:\horror\bg.bmp

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\Downloads\HorrorTrojan.exe

"C:\Users\Admin\Downloads\HorrorTrojan.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8360.tmp\horror.bat" "

C:\Users\Admin\AppData\Local\Temp\8360.tmp\CLWCP.exe

clwcp c:\horror\bg.bmp

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\flasher.exe

flasher 5 c:\horror\scream.bmp

C:\Users\Admin\Downloads\HorrorTrojan.exe

"C:\Users\Admin\Downloads\HorrorTrojan.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\Downloads\HorrorTrojan.exe

"C:\Users\Admin\Downloads\HorrorTrojan.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\horror.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\horror.bat" "

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\CLWCP.exe

clwcp c:\horror\bg.bmp

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\CLWCP.exe

clwcp c:\horror\bg.bmp

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\8360.tmp\flasher.exe

flasher 5 c:\horror\scream.bmp

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\flasher.exe

flasher 5 c:\horror\scream.bmp

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\flasher.exe

flasher 5 c:\horror\scream.bmp

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\screenscrew.exe

screenscrew.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Users\Admin\AppData\Local\Temp\8360.tmp\screenscrew.exe

screenscrew.exe

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\screenscrew.exe

screenscrew.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\screenscrew.exe

screenscrew.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\melter.exe

melter.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\8360.tmp\melter.exe

melter.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\melter.exe

melter.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\melter.exe

melter.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 1 /nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 96.16.53.149:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 149.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.22:443 collector.github.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 140.82.114.22:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 22.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 app-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
BE 2.17.196.177:443 www.bing.com udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp
BE 2.17.196.177:443 www.bing.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
BE 2.17.196.177:443 www.bing.com udp

Files

memory/428-0-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4199.tmp\419A.tmp\419B.bat

MD5 0de7237ec7e2c8ab8e55d1ae6319e02a
SHA1 f586f3344183e563d71a8cb91b8a97439b9d3558
SHA256 49cc06b2575a0838d1ce5188fdf655ae1454d7d44670e9ba49be90e01cbd69a8
SHA512 8cb779a6daffd97c9709eb43ace6b5cd10f7093991f9319032a809770d27a26cf13739117374f3e3c330b4eb0f60a5714bfed9194a1b8d0eadcd4c5b3f161d69

memory/428-6-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2188-11-0x0000000000400000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\horror.bat

MD5 3255e8bcd675d756d558dc26bb82620c
SHA1 ec7466b0bb13bf2c88504f01e73856e1b2887415
SHA256 10470be0fd23195dd21893584409dff05f6f58f48af5ff7106368ca12aa9e591
SHA512 7674e4295efd95d3cb8a6f2c00a4b5d68e6f8fef233a56aae66150d8037899943ac93066601d65bce358719e174d1d21731eddbdfb830d5b08055fb2f8f292cc

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\bg.bmp

MD5 a605dbeda4f89c1569dd46221c5e85b5
SHA1 5f28ce1e1788a083552b9ac760e57d278467a1f9
SHA256 77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512 e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\scream.bmp

MD5 71da1eae2be419d58f50b9a4edecd9a5
SHA1 f85815f8184e7aa1a0062da376ab851870466d66
SHA256 fa03cbb06cd0a6c4875f5cb770476ebc6947b0fd366fd779bfd4c9f8b0899536
SHA512 be46a45de3d966a02c74218357d288948292b0e772a6a18bfc4c5d0b805af050d0044db18a60913cb458b5ed4f2c4fa913621984d412fc5a0edb3a0b57ee9fd1

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\CLWCP.exe

MD5 e62ee6f1efc85cb36d62ab779db6e4ec
SHA1 da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA256 13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA512 8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

memory/1128-37-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4824-38-0x0000000000400000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\flasher.exe

MD5 9254ca1da9ff8ad492ca5fa06ca181c6
SHA1 70fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA256 30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512 a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

memory/4112-65-0x0000000000400000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\melter.exe

MD5 d9baac374cc96e41c9f86c669e53f61c
SHA1 b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256 a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA512 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\screenscrew.exe

MD5 e87a04c270f98bb6b5677cc789d1ad1d
SHA1 8c14cb338e23d4a82f6310d13b36729e543ff0ca
SHA256 e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338
SHA512 8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

memory/3584-114-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2188-115-0x0000000000400000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 e06caf5813f2cddc3a7d1fcb4493a168
SHA1 67f6e26ee742ac97ed8f4c9e611f6e03088fa1fd
SHA256 01711eae628ef48611e348c99fd3d74f70eaf1e1fd98c9780c16dca744ef40f0
SHA512 5a6ac342189b60c6dbbb5fb2af63fb2873067607f9b7715e9acb909c8836cac4d21f2502753e7d1aa2cab2ae099a8a513540c5162790e8dd8db7788fdee28cd2

memory/1616-124-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3888-125-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4824-132-0x0000000000400000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs

MD5 6b193d653da451758e61a183fc837987
SHA1 3706145b17d75fa7ce7797ec7713d057eea94b46
SHA256 68f3e86a8edf7006ef18dae2461fbd296e57beb1fc7805291e8524ab911f13e9
SHA512 aff90c761465db8afb56a56c01438fb9d2612a0782004375be1f5d62295a80b79f8284669f8b670f50c1e88df42de1060bb29aa6fd58e0165247ef16dc5a81ae

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs

MD5 984dd3537ff40747c7101726d939b391
SHA1 2d2853935426a55f8258c642b452a4544399cf60
SHA256 3a3ebff9fa81d715bd5c17b5ba85c6668a009fb1fa2ec9b77ece349b7fc81d31
SHA512 a990c489bb07bef0ab56746b857b014a71882c1e7b3632a64e3152738ab745f49aa1a33ef505299ac454c607271531a9c12fc3c36417f918202c678243f6e7a0

memory/2424-143-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/5076-145-0x0000000000400000-0x0000000000C40000-memory.dmp

memory/4112-144-0x0000000000400000-0x0000000000C40000-memory.dmp

memory/3312-155-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/4324-160-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/1540-159-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/3584-171-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 207b103a7ec95c11643921f0036983d7
SHA1 021b9d09d8c1a07a6397e52105a86a4afe632e5a
SHA256 28b4b6f04357222ba3fb0c7908607205b35283ed1cd6d5e59c6f7e4d679c9f2e
SHA512 a4d3de52de2cc1c73ff078b733ed6601a54328840de22abca576e645622853423d74843867cd7ea38dbcc84ef5d5daba65f41e75f811d1732bd834d23495f3a5

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 2e1e1ab626e5319bd64b0b4cb7a2336f
SHA1 9551f91f39ae4f216625ac2a626ec447fc90df28
SHA256 fca9588f41f0a6aba2a3b7c45cbdf159c4a922467e2a21369e598480ae17f8a7
SHA512 bfa9ddfa9ca30a827d507d5a2431a75980d01e0ed7b7edebd5d8a917b6e4ab24dbc1bb22b21ef7525978c0ca2dc45342f4ae319d506cad3f0d5a5726822addba

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 d0517db9a4b734e42e8609e8e3b71958
SHA1 6f1e865a1f16414415bfee378d96c0b5a3762b27
SHA256 aa986828e0cd10a510a2e52138720ce5498cbcdc2171974c5daba83c2f9b0710
SHA512 56e60ad0b6e956d2de7e3e659424a580e8c77f29ac22bcae90b14c6c7b0d44fd2ed72b2cece6375c3fa6e0f176b08a7fff2e85b9eacf78c6fbccea8e124cbd2c

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 479cde1168cda682670153e47e7ea471
SHA1 65a9bdfe65361bb2ad0d56c70dfbb8feea0324a7
SHA256 ba13129b36b7adb9932e250a71804efb1a1ce78dfbdd5f2a786c5eff4526cf37
SHA512 a5f27e48df5c4f980171fcf2165f20bd675b74f325b58c521d31db3764cd06b870f6418b13e67594e9f4e952a832624a14350bdf3f5336f23f73e2e37d452c9c

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 273e2e78367e6a279e20a39c45834ac6
SHA1 f442df854ead90cf1e3bc753784595fc5f68d008
SHA256 96ba69aedd98ca9131c24a93f833eec90a23ad4237d36860160137df294f16f6
SHA512 0fe63698d45633dd8f75b8b4dd58235ca5053cfc53bf87f72b68bc2e649a20394de54246f4b09a1140d3872851220b2975b8b83df0b9b279ec981583f0115923

C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs

MD5 7e361abdb480ecd9e3fa5f7a96d2c768
SHA1 1ee3493f1191a37a1488a34240d9f562677ccf71
SHA256 e6388029a12b973c048d3d93383ffc605a14f6c64e4b98d3bd5e026f5f2a3bf0
SHA512 2c2534655b4e27ec9b1630675ab591e2134c29be3cc9fd231846a721ea58ca7a458f603d83caad2a2aaf0aff2c7f7a7acc75ef84f9ae6ce6ae5363ec83c73e21

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 4a2932a7aa5437f4683abbc768b307c3
SHA1 e424e53ed28529eba23b99d1f6eb6add5e952da5
SHA256 f28229e280605a7818217c99090c266211d49f0a6cda4e991c432ea96e7c1b07
SHA512 598275298a3a513c031ae62dd8fd44dbdf61b762992f71525982eb84e81be66c1be6522c2081e58084a0134077b12ca2f59a83b5b785b83cfbebc7df0f7d1c84

C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\x.vbs

MD5 ae8a9067b9ae4b846b78f4aa129d4c51
SHA1 a22dd40ed9406ea83390a71e7e627153820e0016
SHA256 3e54fca70c271bc989de939d62e59a87be9279e07518ee4dacb3fbef9b594ef7
SHA512 ca6dbb9dafcbf228964dbbdc2425ae9ae37d033182b8a55d9f1543f78b9a2b00458284493919f5819d5dbaa73e9bae4586081975c1f5cb39f4a8c7fc1fecb2b2

C:\Users\Admin\AppData\Local\Temp\72C6.tmp\x.vbs

MD5 c713661b66e726245fa71c30217de053
SHA1 32e50f64da8892f6eedfca0d28da0e632c02991b
SHA256 35004b1f49caf60442e1b26afb09301ae061f5b033af9d1042f1f0bd4721a8e4
SHA512 23cfd02eab21b3b1de1de6045d9289f101ac351ed6886f9eb19d79d0ab8c41b2b540d55e6e24ef9364998ce41f46e5d336ab3e8e5e42de5e46160e3d26e86520

C:\Users\Admin\AppData\Local\Temp\8360.tmp\x.vbs

MD5 9ab4865b4ad53dedc63dc41bf3ba937f
SHA1 a5229b047469261a91023e27ac8ae3768874e0eb
SHA256 56f4445990d3b35d1fac9ed17e2c8f36e64ee8cd2e1fcb36c4f0e224dee00320
SHA512 5c37a1d69ca55ac4eb28303e039443bd9e267200d2b3879f67a11dd80a633e8c2f261731a847c70c4387b341c0dc982345d03213ec772ed3689a6fa2331ca0c7

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 340b43168f7af3961507d66def0b0345
SHA1 7e3906c70bdf86a297748828ff46c7d37c2a26db
SHA256 fcf39b3f8e6d818a62c3305625eb5ea9b980e7943d27a4640e83c4cfc58222aa
SHA512 a9929bcc6f6ed2ce6d587e3973a61c0ca91e6b50ff2078148d5f0a37c1343a61fc780b35a805452da713b5aa728c1800fa769f6e9535a06f96a5f91522d28fb1

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 d18188757cc44fad1e5e2a243ce073fc
SHA1 e059a10d65f82f0cd7819f9ffeea33917c9d0734
SHA256 f8c371469e10255a963e1b6a444737c944206820d5afd667eb26e2fe0e92f77f
SHA512 45fb30d014ae2f8bc9161cd49d471fc00e5fe811cfa2706f879bbc6f6020baf99b685636719aa709bf1fdfdba603029fa666952b764d86c560f6f541954d7d38

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 baa2d9a2a91df2b850f6a48d095b8e14
SHA1 61196748d813ab81efd8c807988036c707deb990
SHA256 bec8c20f724a997f57517fede0e86be9278203dc6fc30caac788adf9b600905a
SHA512 c349e105a3e8b9b726295636721d8cc96c43ce39a589d3d056062d800ddbb05c8c2d59d9adea7e6468a3de1d9b044685cbcfe0484069e28cfee0e52005710d94

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 f7bbff20020ffdb12bfb2be99026a296
SHA1 c739b1db27f71e8ec435cc4842485d0f612a8d91
SHA256 e52348ba7438195c625a4dba74fae4d3e8ad14f670cc5871a8f3392b0e9ec2fb
SHA512 a4707f820053f9d700eecbb4bc322739724f7d3752ce337b8647b43de4b861eec129f2be8a7b12ba0464954d4a42a50a6b56c4e48cb99940f49ecc7ad7dfe7ad

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 585434656e1499f5f362c071214c0b21
SHA1 cf968f490e38648885f1652a3a726e0b3be260ec
SHA256 3982e8045817ee3842bcc5d86da09633a93049e98424e4894ead170f76e366c3
SHA512 e43294671c411a9bdca9ad5f035ea6069350e9d6c98149e9ad9744023bb418adb8a1a1466f4de039233020fb042cec3782b9dd97b4587a89b75b5deb1cc586c5

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 11d83b923beb0dbb3b010caff986eeb7
SHA1 037c39867bd649a314f2f52258fc6f91c896c1a4
SHA256 d0a93d96f9705c17cf44590bb6cdd7eee1f72b18229d50d508129d0fda3d45fc
SHA512 21af0ae7e0e561535e580f30c8066fc1a922a46d1a4fc7d7f6027b5de896e1fd7e36d6fe3e8f4634663a73aa35c37955a2113f07b93dde85ddb715a95605f803

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 6ced1ce591b7a466fe17b146f804bf01
SHA1 37b04d778f7260c0fc92de87175397084ba25d5e
SHA256 6112d86deb19364598d3b852a89d00eca066fe52c2ac9de63a9511ac5472355d
SHA512 50b1db9b613726f1b7b34943a1e9a61b26fda51cbea574a6582cae6f91bf235cc7dc98adeee9da0cc848912d15245ae49ac5844379adc9334b7511bc4b0d35c9

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 057555179f183bc5d88fdc09de71e506
SHA1 7d00b92b3ba2e4076bfc9c006a50a7e608cbf6f1
SHA256 bd6355f96bab65d728969b1824d5fe3037607077934f0e141445c450204e93fb
SHA512 2f651b2f7f1dc7b0c5cd946cfb54645e88351b0e48cc21185109fa2f73dda125e772cfe9eeda1588d741976cfc101e57e61e17909bdd544b5a9cd986ed0d88ed

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 b5ad7f5e5f4a8c9a7a7f921900743171
SHA1 a5adcc8e89e33da6071022616d868bbbf72ac8e9
SHA256 e0a629553a0e070e5f8863eed267de7cc0d788c71cdd6c9302e912888d8373c6
SHA512 fd9428c2e2883879cfe9809ef31bc97aff70787ef6ed249eeabc4e1e4a55d3ecd46e32c3dc678f23b7e4dfaa6e348da0f2982d1b6d60871123aae0a8e84c1a16

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 0985daa1301c77132bbd49e94519f28d
SHA1 fd7af8778ff25728b88c0fec935375426eca9fe1
SHA256 9a395f6a43a2c01f42308f2ea9d2fd231c733784e892d962a0c849f048b668ee
SHA512 b42b78807494ad0f19d152ff971c03d9c3a3c3c3b7f060d87428efda7833238b1d0666c9f0a9210c75e36346f359785e81f623daa0d32896f9e5a0a21d709955

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 c1765451418c4a9d244d7b3c2805a958
SHA1 ea14377f03ab36c135a14d0cf7a77ac2a7a24415
SHA256 ec95329873842c3221da1b390a9d0757dc4946f1a67b731d8f6fc69a40022995
SHA512 b5c1706269fbd1ad01774a1015b6e0bff4456e31f63dde4a98b53c91e8266f2ca306162229ff07a94ce2e2b27671799ab6b1740cb8cc87f046891b30660b414f

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 90d4fd8bc22867cfeafa62ba4392c4f9
SHA1 51ecb0f1c15edf86a3eaf128d2559512a39dd1ce
SHA256 67b30715bd2f8e8fcaeb0643559d5b99f2a2f0d685a64f7606c46e7da4919839
SHA512 73b7651848a55e4bf4a26c241db2649e8d3b4d322451882cabbb730f7c17b97ffb20796cfaf077a18726fd5c71480c73c270cebb798e9f43cf86230b121b942d

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 5e1965f2d4efca20109d9e8f94d03291
SHA1 bdf04593a6ea5983874bb59bb232fbc6ac1f477d
SHA256 e0c1cdb0833de1567391f084995c7f011750ab6b3f60893549a13067d36e4277
SHA512 db25174f28d32bec9d77a3c7c710f8732e47238b3cfe107281935ebb2cb56120c638b8b5a932abfde4d90230a56af1b394dac47bcbc27c6dc16401c2ec701773

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 ea1533a0cf73fe2fe8ac4fbd9b34624a
SHA1 6f38ac263d489b6e6ae58605eefaa85c52ff99de
SHA256 1df54d5dfeb299411b0924db861f87700c30cd32360eae3e446042e10000fe43
SHA512 f10a9e375a7e039d584e5d6aca168abeaf4897c3114970796ffe950f4ec76a0d23bc3530751224dc39f919fd210f8fcf9e2bd43e93c46451324cbe61ec5b7543

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 d9e5b4609218d76812e4e62a488691f0
SHA1 109041567e350ee32e80e56d734d104a1932c6d1
SHA256 d4dfeda8970208eb6f0d649f473a40b6d822d75bf1d23a7e22333b6bffbc84ca
SHA512 e415015a17f0827d46ede76f3d23284bb3e533e9877f2a532ce91022cea9499c3807aa584d4fe2d25c6ad5c84acd808fa2250f54cae7dd6eddbdbba4ef8423d2

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 763b6d3ac98577c36a9fb730b4f94daf
SHA1 16d04a6eb0c4fc002849a88b2720bd59a82ac3b7
SHA256 81e12caeb69556ca7122cd5d7aab1117cfd28c868e4b235a797bc97560420fbd
SHA512 e18cfb58502b845b0bcef05072b90dbd845d799ed24db41797ad7e9bc3d5a1c5232ae8b45042ae8b336d986589f39203929c80426d0d1d1467ef802d719e3ef4

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 d4255380cd37a547d6b84357abed8cfa
SHA1 da98f7c1c2352d823ba08d973921cad93754cc7a
SHA256 9027aad57a7c25dc20d7abd68eb4db22a44f0cbbe6c2a9eab9fc25937f680c51
SHA512 a292b89ae5ec15d378ed0ba19002b716776d0387d80fdc112f382a759785d29d6e73831921d190d21fd4e045e2ecd41adaadd9f770927c9133b51785d745b426

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 269078ffb594c4cba039ba2aa6250973
SHA1 7fcb69dca3226cc0726e7f246b309620c35d566c
SHA256 6c7a62a19d8ed5d98b7f74609133ea536a30dec0567483d8665a4207f532b6c5
SHA512 cfce2fb994e682ea16ee4efa64ce70d2e937754ac95db6ec688aded0e6434200b908c9e9386a0a90e8c95c3a22f7ec487b1356e7d8e992cf13a8e758f00c2709

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 578ef3bc01eb203f29ad4435ce148bbd
SHA1 279f345072704ea16b076d2094702855b5bb87ef
SHA256 6ea643957f6dd42d4220df2e1a2b2644198bd4a26ad702e4d6afbe7a978ef911
SHA512 b293501797724a31702a9425166f1cf040cb66a661eaa468792f0bd8d836b5b6d8e483469e96dd44bc8c9a0df5df8402ce5e4ba5c0d1bc8e76b4fdb6b16dc343

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 45ac38574a5c6e4edb23b5e2e866b9b9
SHA1 bff18757d8b19e32e59414861bc7a6952b258735
SHA256 3ccde76d208af013b6e6a8dc6518771dc79340d3fe3cc13f106d1fd82cd0a1ce
SHA512 9e894dc9aba328aff323240c3d4259d8c06bfef070355524707cdeeeb587ad9f7cfd9fab3ae308fdf3bc14cc735b24fa75a2003d27feec96167037e072c8697b

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 0694428e3ba375623990cdfb346779cc
SHA1 ee6cc0bc353774732ef6eb41b565180f9ad87f5f
SHA256 36e1933cbb95fb6171a2d119a01a184c241a057c2d94e3c55532703fe7a36046
SHA512 8c066843cf888e3ea385184db98f31a73ee25b2e2f34ea57f6fde6fd934fc1306b9592abc1b45a40b87f083cba4311a39e4f9dd9ffe9e93946d405e9b5933528

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 8f152ddf245a3709db158de88ff8a7b5
SHA1 d8ae5164d14fb2d2943864a0deb36aea278e8dcb
SHA256 870cd0e75342ee446c822fa001b47e41889d6ddb54cf347af499383c1b2f8a45
SHA512 2895d79517acfd202912fda0cb30fb12fe7c61ef1eb1ebb5aee56efeef12671124b4e7a3c1901280a36741b08bb7a74db25fdfec69ccc0732eca29d9cde101b9

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 873daa213bcda9b592c789319212288a
SHA1 eca1b93f1ebcbb2e1fbd3ac0ad191ea2d7ac8295
SHA256 6a9cb95675bc1fa54312eeaca5f387d91f7836610ab422782fe483331991c288
SHA512 9306e46d987a408e6dc96e355ed796cf5d566f9f2e2625b6eda293b0f746bbb637f92693f2a4a41ab029aae5ce82c531f4ac7f7d3a92206796a6be41ee9b143b

C:\Users\Admin\AppData\Local\Temp\8AE2.tmp\x.vbs

MD5 5cb6165bdb31a6110279c5e52f3e7d08
SHA1 dd4cb9301fe9ac3e9cd71e1650fd3322de8ff17d
SHA256 248f31f92acc0f52cc0ba22b883286db380948a126e31ebc5ed165b4f83d8803
SHA512 73c013dd84581884ff49f22e58a21ec059f9acf1790b17eb061320febb4ba27f47836fb3317b51f16f2124d8f7aed531ccb669a7880aca1bf5d5299f7a14c233