32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864

Analysis

max time kernel
704s
max time network
2309s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-08-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

146B
MD5

9fe3cb2b7313dc79bb477bc8fde184a7
SHA1

4d7b3cb41e90618358d0ee066c45c76227a13747
SHA256

32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
SHA512

c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1908	taskkill.exe
3156	taskkill.exe
2176	taskkill.exe
4044	taskkill.exe
3624	taskkill.exe
7724	taskkill.exe
8776	taskkill.exe
9052	taskkill.exe
7444	taskkill.exe
10164	taskkill.exe
9404	taskkill.exe
9060	taskkill.exe
7068	taskkill.exe
6516	taskkill.exe
6772	taskkill.exe
6244	taskkill.exe
9136	taskkill.exe
1320	taskkill.exe
5336	taskkill.exe
4904	taskkill.exe
6100	taskkill.exe
2168	taskkill.exe
6980	taskkill.exe
5580	taskkill.exe
9912	taskkill.exe
10780	taskkill.exe
11104	taskkill.exe
6660	taskkill.exe
4760	taskkill.exe
4972	taskkill.exe
1644	taskkill.exe
7392	taskkill.exe
7908	taskkill.exe
10756	taskkill.exe
8564	taskkill.exe
2576	taskkill.exe
5712	taskkill.exe
5456	taskkill.exe
6044	taskkill.exe
6508	taskkill.exe
5260	taskkill.exe
5344	taskkill.exe
10640	taskkill.exe
11176	taskkill.exe
32	taskkill.exe
1524	taskkill.exe
6684	taskkill.exe
7980	taskkill.exe
6720	taskkill.exe
4492	taskkill.exe
5216	taskkill.exe
8936	taskkill.exe
10204	taskkill.exe
5260	taskkill.exe
4156	taskkill.exe
6312	taskkill.exe
7788	taskkill.exe
6116	taskkill.exe
2036	taskkill.exe
8368	taskkill.exe
8556	taskkill.exe
6456	taskkill.exe
11208	taskkill.exe
7196	taskkill.exe

Modifies registry class 64 IoCs

Processes:

NOTEPAD.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exefirefox.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\document.zip:Zone.Identifier firefox.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

firefox.exe

pid process

2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
2200 firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\document.zip:Zone.Identifier	firefox.exe

pid	process
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	2200	firefox.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	5864	taskkill.exe
Token: SeDebugPrivilege	5832	taskkill.exe
Token: SeDebugPrivilege	5388	taskkill.exe
Token: SeDebugPrivilege	164	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	5260	taskkill.exe
Token: SeDebugPrivilege	6036	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	5800	taskkill.exe
Token: SeDebugPrivilege	5764	taskkill.exe
Token: SeDebugPrivilege	5596	taskkill.exe
Token: SeDebugPrivilege	6116	taskkill.exe
Token: SeDebugPrivilege	5712	taskkill.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	5456	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeDebugPrivilege	5656	taskkill.exe
Token: SeDebugPrivilege	200	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	5852	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	6044	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	6332	taskkill.exe
Token: SeDebugPrivilege	5260	taskkill.exe
Token: SeDebugPrivilege	6980	taskkill.exe
Token: SeDebugPrivilege	6648	taskkill.exe
Token: SeDebugPrivilege	6684	taskkill.exe
Token: SeDebugPrivilege	7120	taskkill.exe
Token: SeDebugPrivilege	6440	taskkill.exe
Token: SeDebugPrivilege	6764	taskkill.exe
Token: SeDebugPrivilege	6516	taskkill.exe
Token: SeDebugPrivilege	6452	taskkill.exe
Token: SeDebugPrivilege	6508	taskkill.exe
Token: SeDebugPrivilege	6728	taskkill.exe
Token: SeDebugPrivilege	5580	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exeNOTEPAD.EXE

pid process

2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
3492 NOTEPAD.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

firefox.exeNOTEPAD.EXE

pid process

2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
2200 firefox.exe
5228 NOTEPAD.EXE

pid	process
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
3492	NOTEPAD.EXE

pid	process
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe

pid	process
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
2200	firefox.exe
5228	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 3152 wrote to memory of 2200	3152	firefox.exe	firefox.exe
PID 2200 wrote to memory of 5100	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 5100	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3896	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3344	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3344	2200	firefox.exe	firefox.exe
PID 2200 wrote to memory of 3344	2200	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\.html
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.0.1231827545\1615164630" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22b16dca-b1ff-48c9-8a4d-4f2fd3e58e34} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 1780 137dc6d0e58 gpu
3⤵
PID:5100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.1.1033376135\413296290" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2136 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dbdbc00-1945-4edb-b316-d8a8319c62b6} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 2156 137dc5f9858 socket
3⤵
- Checks processor information in registry
PID:3896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.2.1827494571\1325541040" -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 2864 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f88f9827-0d68-49b2-b01f-936ede33ea62} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 2880 137e08d0458 tab
3⤵
PID:3344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.3.881059185\685477668" -childID 2 -isForBrowser -prefsHandle 1028 -prefMapHandle 952 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13de6d52-f800-4ba0-8363-a57a08f39912} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 3240 137e0e90558 tab
3⤵
PID:3500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.4.1993097094\1342170333" -childID 3 -isForBrowser -prefsHandle 4660 -prefMapHandle 4216 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d0cfc46-a846-41eb-a06a-27981b1b34b3} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 4648 137ca366858 tab
3⤵
PID:1968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.5.432440979\1817795020" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4904 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d9758fd-68f2-4768-96a4-41db75e94d6d} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 4824 137e2ad0b58 tab
3⤵
PID:3672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.6.1084907186\2089135661" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {720ed97e-3123-4023-bc05-2c7a68993acd} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5016 137e2ed8358 tab
3⤵
PID:3368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.7.118605814\331503791" -childID 6 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df95ad3f-f703-4af9-83b2-215a79462dc0} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5468 137ca32ed58 tab
3⤵
PID:4172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.8.1705110261\14978995" -childID 7 -isForBrowser -prefsHandle 5772 -prefMapHandle 2876 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72aa6507-e584-426d-802f-eeb85d9a5716} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5756 137e0962f58 tab
3⤵
PID:4044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.9.1900575764\1287462006" -childID 8 -isForBrowser -prefsHandle 5192 -prefMapHandle 5188 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fffbd937-b6ff-4c7a-85d8-63be048a56ac} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5180 137e3865b58 tab
3⤵
PID:212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.10.520291255\555044024" -childID 9 -isForBrowser -prefsHandle 9444 -prefMapHandle 9440 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3cb9bad-cd95-42bc-8405-ea233dc14289} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9452 137e3868858 tab
3⤵
PID:32

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.11.1590057475\1562750496" -childID 10 -isForBrowser -prefsHandle 9152 -prefMapHandle 4148 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b081437-34f4-4cc4-9a9a-6f76f7407b91} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9076 137e5a09b58 tab
3⤵
PID:1640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.12.1538008191\2112998005" -childID 11 -isForBrowser -prefsHandle 9452 -prefMapHandle 3036 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a08a3c74-dcc8-4a45-888f-5dd7aad527ff} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5552 137e5acfb58 tab
3⤵
PID:1104

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
"C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\142113c5-f445-4d40-8524-e968109f3e15.dmp"
3⤵
PID:1376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.13.1464032470\1996375297" -childID 12 -isForBrowser -prefsHandle 9236 -prefMapHandle 9296 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce1e0227-0245-4859-b997-cd766033ddf3} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 4984 137e0960258 tab
3⤵
PID:4972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.14.1674841612\562621053" -childID 13 -isForBrowser -prefsHandle 2608 -prefMapHandle 9208 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7291d07d-bf39-4de0-8b72-ef8ac5c4d60e} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 4724 137e2ad0b58 tab
3⤵
PID:1376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.15.63833811\2030839229" -childID 14 -isForBrowser -prefsHandle 4576 -prefMapHandle 8932 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd477341-a3c3-4884-8342-d0f4f87c8efd} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 4572 137def23558 tab
3⤵
PID:2992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.16.600485768\598846134" -childID 15 -isForBrowser -prefsHandle 9196 -prefMapHandle 3892 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b713223-7c73-439d-b07a-5e5ed2a93d22} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5420 137def6bf58 tab
3⤵
PID:376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.17.1902287626\1228159165" -parentBuildID 20221007134813 -prefsHandle 9096 -prefMapHandle 9484 -prefsLen 26817 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bd4554c-7459-4073-91b3-72436ad9e936} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5704 137dfd41858 rdd
3⤵
PID:3236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.18.342386317\1104591498" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5188 -prefMapHandle 9404 -prefsLen 26817 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa64f6cb-aa44-421e-91c7-ae67fc9af46d} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 8920 137e0804158 utility
3⤵
PID:4412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.19.101590688\1756519913" -childID 16 -isForBrowser -prefsHandle 5188 -prefMapHandle 9460 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9505e0a6-01a8-4cd0-9727-c1dff5c192f9} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 5516 137e084d958 tab
3⤵
PID:3152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.20.159389881\11415834" -childID 17 -isForBrowser -prefsHandle 9612 -prefMapHandle 5028 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df0b4462-35de-4db2-bb7a-106ad605d204} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9568 137dfd40058 tab
3⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.21.2022698130\115718882" -childID 18 -isForBrowser -prefsHandle 9192 -prefMapHandle 4552 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5b12069-c26e-410b-96ac-b1ea864d5b8b} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9452 137e2f44458 tab
3⤵
PID:3180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.22.1367844566\123593719" -childID 19 -isForBrowser -prefsHandle 5496 -prefMapHandle 5464 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d605c33a-4dc8-4ff6-b47f-d31feb356e72} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9880 137e4976658 tab
3⤵
PID:4540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.23.652547531\520515835" -childID 20 -isForBrowser -prefsHandle 10096 -prefMapHandle 10068 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d8e87e0-9386-4503-8528-32b183976d83} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 10084 137e5fbea58 tab
3⤵
PID:5924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.24.1385154380\1411246038" -childID 21 -isForBrowser -prefsHandle 9800 -prefMapHandle 9788 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66904000-101f-4da5-b5fd-239d1b182e99} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9792 137e427be58 tab
3⤵
PID:5368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.25.326459434\1075464167" -childID 22 -isForBrowser -prefsHandle 5028 -prefMapHandle 4660 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0e10bba-2bd4-44d9-b16c-ebc17a87f942} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 4992 137e437cb58 tab
3⤵
PID:5376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.26.1621674599\1221699195" -childID 23 -isForBrowser -prefsHandle 9144 -prefMapHandle 9164 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9bc47ee-dd47-4283-a52c-32498b530748} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9052 137def6c258 tab
3⤵
PID:5872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2200.27.1233686060\1988412066" -childID 24 -isForBrowser -prefsHandle 9788 -prefMapHandle 9988 -prefsLen 26817 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3082db5-a2f4-49dd-b000-3991f33ad0d6} 2200 "\\.\pipe\gecko-crash-server-pipe.2200" 9976 137e3865558 tab
3⤵
PID:2832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5676

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd
1⤵
- Suspicious use of FindShellTrayWindow
PID:3492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
1⤵
PID:5596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\more.bat"
1⤵
PID:5708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
3⤵
- Modifies registry class
PID:1280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:3908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:5996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
- Modifies registry class
PID:4192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:9084

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:6600

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:7376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:5028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:7692

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:5756

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
PID:7444

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:5700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:9452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:4252

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:7476

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:7520

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:6720

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:5412

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:4756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:6948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:2852

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:7228

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:7560

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:7724

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:8216

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:5352

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
PID:4836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:2704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:7772

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:2336

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6684

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:6156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:8820

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:8836

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:8872

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:8880

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:8060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:8980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:9184

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:8800

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:9144

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:6656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:10860

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:3992

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:2208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:6488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:5024

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:1392

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:7392

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:7620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:8592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:5652

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:9624

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:9788

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:9912

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:11040

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:3004

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5864

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:6032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
PID:4640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:4340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
- Modifies registry class
PID:8120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:11252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:6508

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
10⤵
PID:10740

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
10⤵
- Kills process with taskkill
PID:6660

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
10⤵
- Kills process with taskkill
PID:4492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
10⤵
PID:5808

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
11⤵
PID:10492

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:6432

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:7120

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:2836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:5800

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:3984

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
PID:1320

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:4120

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:9512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:4520

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:8256

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:7328

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:6684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:10980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:8732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:8728

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:5020

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:6992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7864

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:5392

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:6244

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:5344

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:3728

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:9140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:7788

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:1404

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:6264

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:10324

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:10748

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:10520

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:10532

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:9248

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:5528

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:164

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:3944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:64

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:3420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
- Modifies registry class
PID:1240

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:8396

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
PID:8776

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:8792

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:9300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:7612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:5472

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:7776

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
PID:3624

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:6228

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:5144

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:5512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:8068

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:6804

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:5260

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:8432

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:9256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:10432

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:10804

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:7328

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:9124

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:2992

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:5560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:1076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:2916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
- Modifies registry class
PID:9548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:2176

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
10⤵
PID:6820

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
10⤵
PID:7020

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
10⤵
PID:10696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:9092

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
10⤵
PID:5572

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
10⤵
- Kills process with taskkill
PID:9404

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
10⤵
PID:7616

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
10⤵
PID:8776

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:11176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
11⤵
PID:3788

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
10⤵
PID:5620

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
10⤵
PID:876

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
10⤵
PID:8508

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
10⤵
PID:4660

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
10⤵
PID:2220

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:7072

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:8484

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:8936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:9308

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:6104

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:3888

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:6176

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:2136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:10916

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:11192

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:11200

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:5748

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:8960

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:9368

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:7048

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:7084

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:4776

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:7600

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:832

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:7460

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:1684

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6332

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6508

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:3708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:10684

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:1952

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:5308

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:3660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:5424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:1044

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:10264

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:10272

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:10280

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:5180

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:8284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:4120

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:3888

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:7508

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:6312

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:7512

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:32

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:6908

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:4160

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:5776

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:1356

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:8520

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:8548

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:8556

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:8564

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:9564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7200

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:10612

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:10596

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:10968

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:4720

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:5860

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
PID:7240

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:6752

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
PID:5840

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
PID:7304

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:3736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:3396

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:3460

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
PID:8020

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
PID:6652

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:4548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5756

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:8680

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
PID:7968

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
PID:6204

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:8368

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:9144

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:7612

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
PID:10652

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
PID:7068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:11156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:10100

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:6528

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
PID:4548

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
PID:7008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:3672

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:8164

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
PID:7208

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
PID:9060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:10968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
PID:9120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:8284

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:7640

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
PID:2168

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
PID:10800

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:8484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:10620

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:4064

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
PID:7788

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
PID:7196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
3⤵
- Modifies registry class
PID:3028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:5252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:4228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
- Modifies registry class
PID:2480

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:6460

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6980

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:5216

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:2908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:9092

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:9208

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:8248

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:8096

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:9324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:1644

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:9204

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:10424

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:10780

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:5680

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:1640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:9476

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:7584

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:7832

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:3156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:8264

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:4508

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:436

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:3092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:6076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:8512

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:7492

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:7660

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:7980

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:8540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
9⤵
PID:10452

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:8112

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:6276

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:6456

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:10108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:4060

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:1176

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:7028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:9012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:7452

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:10356

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
PID:4904

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:3224

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:4284

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:4092

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
PID:11104

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:6100

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:5568

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:6176

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:1604

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:6216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:10432

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:10300

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:10756

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:4056

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:5908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:5592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:4280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:4572

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:8344

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:8720

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:8728

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
8⤵
PID:9316

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:6244

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:8424

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
PID:3788

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
PID:2636

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:3840

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6452

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:7188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7712

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:6408

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:6772

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:6520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:8464

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:3568

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:4104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:2204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:6388

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:3676

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6648

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:5992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:9016

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:9112

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:9128

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:9136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:9332

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7900

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:8104

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:10640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:2756

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:4704

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:8224

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:10172

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:4148

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:3784

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:2544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:9492

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:10140

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:10164

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:10176

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:5096

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:7128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:6420

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:6568

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
PID:4044

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
PID:8388

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:6444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:10396

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:10812

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
PID:11176

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
PID:9264

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:10568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
3⤵
- Modifies registry class
PID:3176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:2012

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:3356

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6728

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:2708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:9004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:6480

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
8⤵
PID:6644

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
8⤵
- Kills process with taskkill
PID:5336

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
8⤵
- Kills process with taskkill
PID:11208

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:9036

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:9044

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Kills process with taskkill
PID:9052

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:9340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:4856

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:7416

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:4456

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:7304

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:5368

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:3492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:3532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:6060

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:7332

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:8228

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:8584

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:204

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:5456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:5276

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:7368

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
PID:7612

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
PID:7908

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:8292

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
3⤵
- Modifies registry class
PID:6092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
PID:6716

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:5724

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6440

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
6⤵
PID:7344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7260

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:6552

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:6476

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:8476

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:5732

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:4780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:8148

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:9048

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:5428

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6516

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6764

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:5236

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:8040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
5⤵
- Modifies registry class
PID:8736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:7640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
7⤵
- Modifies registry class
PID:10428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:10424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
8⤵
PID:5488

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:10960

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
- Kills process with taskkill
PID:10204

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:8408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
6⤵
PID:8876

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
6⤵
PID:11144

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
6⤵
PID:11116

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
6⤵
PID:9136

C:\Windows\system32\cscript.exe
cscript "m.vbs" "This will be shown in a popup."
4⤵
PID:6228

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM explorer.exe /T
4⤵
- Kills process with taskkill
PID:2176

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM taskmgr.exe /T
4⤵
- Kills process with taskkill
PID:8368

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\document\crash_overflow(dont run)\crash.txt
4⤵
PID:6764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
4⤵
PID:10404

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd" "
3⤵
PID:3632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:5952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\document\crash_overflow(dont run)\quiet_starter.vbs"
2⤵
PID:5492

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1216

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k wsappx -s ClipSVC
1⤵
PID:7968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\13443
Filesize
6KB

MD5
cdd40ddc62bff277614df1268ebcd86b

SHA1
221f43e6d342fcc888eb498fea2857791a14c3e3

SHA256
53f3ccb602adb2fb95847f27335a4c6fd04379732812aa47ddb6d70c25ad1eb5

SHA512
afca9937207f41823491b3785afa01b295cb29b1597127556eacf574eb172dc9e3fbeb6cd11ac37ee3da01a2121ae9e693a664698ac18cd38a15830d28531c33

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\13484
Filesize
1KB

MD5
505684b8277d2bbfb701f3b50a92d0bc

SHA1
35b2b253765f2be8f8566e22a076248f9ecd9f83

SHA256
0bb314cf18359e1fa216bf475870f3f47473620dafb98032add19d533bc6af7e

SHA512
34579275bb6f2a36fc05e880fbd70994d5937c3069229b04e9480dca3680fe185bac61fd37cf8485436ed6d3c00f9bccaf4773fb23a104772581d5b141e72b65

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\13755
Filesize
2KB

MD5
97486bf2332249bc46b12ba6b4d39303

SHA1
70bd380fb682c0a996cfb23205f8a2dfbda5662f

SHA256
ff971c0d4a27a8cc84d518fa2a6b9537421841438f73c279e267daf625be9d67

SHA512
6a7806b0d2b94cbc366c37b0846c34bdb40152db3f6d1b05a806b91ae20e65d144000dab47cba3150b64978b1a4e37b6c14dbec8094ee1055924d3b8bbe0ca36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\14433
Filesize
16KB

MD5
de2a5f1e9d76416738ee5ce61520bdf1

SHA1
da761a43c56fe032d368920d54238266b07f7af5

SHA256
f16bcb92fa7cb14718c0fc9e5d41ad641c5867562d59ff044c7b464ca9def72f

SHA512
beeb34b2ebaa79aa36cc171e786c20ad89776d6a6f37984a1b43e280b32aaa628a6dd97c5bbc0bd2d1cc9715aa463bdacd2d31b6998f4cf39d00db9f27c8ea29

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\14588
Filesize
2KB

MD5
705f038c3363355c10ed5a5b730a1a50

SHA1
d5c3b7e6f0266b8af178d86f76ded8ad5b7fedf8

SHA256
cf29f25ae3c25ca1c9fcaa406c1cb12dcda7ed7d0bae32ec615e07e98fe1782a

SHA512
89aa76d41222de3907b7cda25bea14577b56edc0589ceaeea479cbb97ee57d4ca72b38485d37c19fe44ff0c3ae0c98e62857b3d224fd9689475f51f710b2b36c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\16148
Filesize
5KB

MD5
7ccd5a5e7520aa097bca8719a00dbb52

SHA1
c8268d56765b192f683b9e656845fa8e347e77ab

SHA256
770ed5e19890f08254f86d3d1355142a97a77505ecab478c317cec4e7dcf2dc7

SHA512
fa03da8510c15525d719d62dea97d594a85835000cb16a3276e3b8f840a382fb217ee75de2828f63b4c543bcdc1bf83bc17a47cbf845c5fb1d3b6f48326062ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18067
Filesize
6KB

MD5
ac3b744013ae0d385073be20207c0757

SHA1
c8ec59a5b5df20287ff7e61e0dfc04443c2b53d1

SHA256
18d2dfe7a20c4b6a677170eb6bbdbbd5d2f4e2692e63b42e266da4abe45a9ade

SHA512
a1228df5884e5d531aa9d2d227164b01b7ad6c9d19cf3fce206b624ab41fe813968b1692d9ac466a6baff6718f9ebd9a39f9dac1b7a38d75a5a64356259a3f47

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18147
Filesize
2KB

MD5
743c6ae1fb1094ff3b2a6525b32dcd34

SHA1
2b45d0f5c6bc1e1085c308807115daab003a23f7

SHA256
0d471fcb0e140e570f410d5f6f1374df38e15954b0b4003101387f2238929fe2

SHA512
17a88073332c1b464030f3e539803cffb5be2d4648d4bb3af8b42fe10111a527a7ed696c8bc23f7d7e30fef429390d39984f2360949ca7d6c9b3bae96ed290da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21333
Filesize
1KB

MD5
77dfeb6d1766dddd005d47ffd6283d2f

SHA1
e1a878c7e16d569dbd1e11fb4c0a4933bdcbac38

SHA256
ad8ee87f0e3c1a7296b88ddf3362cab9773c8ed2dfc9180b0c527711b3091a38

SHA512
bf8b9afbc4778366857fa7129fd86383d31eb9bcb0ea949dbef00e4ff2889a4f4d9e11506e0a6101ba63e259bf49c7d8bb9713a447c5d9041a6098053453a186

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\246
Filesize
47KB

MD5
f898554a310c10ff1d776c77b03d18df

SHA1
853d5e48180da77c06ac3ea2eed93c82b839cdeb

SHA256
5c08ac74eb8e1135d420985a66759c715e687a7cc214f8cbe22639357653f80f

SHA512
aa5884869f9e97fb2057068012e82269f37bea699cc1270fa11558f3cebaaf6426a162361df8776f77a320d00811f378bae7762b59165961514612a36769293f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\28842
Filesize
20KB

MD5
974a27a6039b196c00bbf5cc004448b2

SHA1
66ca763ce436bbf69e8c795916879ed24079e381

SHA256
e2ba631577aad15b40ef0b632e403f6cdbba033050dee837c3451335838bf6c5

SHA512
bd1f7461c72103e765dd866ab7e6d899b0c202abdbe70aadcc19bea1615c30cd217c67f759a9746cbe8537303ddedb2f31c248e7ad95abc343dd4f92c87a5c35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\29469
Filesize
18KB

MD5
2d80fc558b00af35a80103c7af8e0102

SHA1
acd8e229960fe5f5865705e2d6da7970bce6f230

SHA256
8d7c88fb2674a56b8e41fa62b000bfcfca1eea20f9441991d9cbc61d441cae67

SHA512
4da16fbe34ef5bdd43d4cf667da435ab80a6fbac78a7992031599c13a0885199e2da3e2beded4ab0b03fdc1be572fa1ffed13c5f5896d7031f608f5ed272432e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\493
Filesize
2KB

MD5
8f7912e9059725c4307abbddca82fc96

SHA1
0e16f2e2b35513114cf8077f47f6cad6c6e5eeb9

SHA256
b192d8c850d39a4a3cafaae9387734432bfc391360ec22c38d46b70224df0179

SHA512
7625aa71b3d1add118e5f1dab3214a6485c9d7a29ff4b37b7b70bd7d49bf4e1dc4459308cb3f2521161b8cb20471100855f3c89d6b788a5fd9e7b14f38645666

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\6464
Filesize
12KB

MD5
6714bc25342697f026577113395672a2

SHA1
53b29d6686f69e2ee0fbfc83e37419da2b8cd63c

SHA256
ec3694112633dfd51f44ba23a6906cb1251dd3a17fe08bf6a8f1c1ae46e7849b

SHA512
7b59d2f756e4c5581f0caa5907b671131e6718326e1fcfe7a8526047d1ec16a343e6194b2c755a6d943815c82e0b5363293b06102c21de801414c5b7d89ed7b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\0A73C6E23F02820E5C7F05AD9890531BF91D87DB
Filesize
111KB

MD5
758ba52499d5512cdce593b214f64e50

SHA1
99d9cff7ef8d233cf5a5bf484f139bdc640e56bb

SHA256
dc150c211dec9af0f63333e4909a0b3a07751890065c2d8b8903761723c85f16

SHA512
3dec45ec1fda33716b9e881e3c8aa87cae19a119d6ae4f872761c0f44a576ade53b179be79e217d7efbe8cc04a307d8c27170047b2e9e6bc5d8fbc6e7813c5f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\104AB95E8F5528602FB92632764F65FF9386C262
Filesize
1.2MB

MD5
89e3ba980bfec0fa4ef7f94d738ce76b

SHA1
8a3abe363a4dc3dd56d4efab0facaca15c2fb2ed

SHA256
4600a33acce1c278f8cff03dcfe1f76290346d2cfb2031665d2a3d723df802a4

SHA512
97c2d3149990d2906529e4e32603b140907e5e1cf3c87384b0c9abc1823e766ba06f73adf49eb0c2c7ed118c9da24e2064b9907f372316d0cb57ce413d36efd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\12F151A98D083011893ACE0C99B7CDFB2B13B7C2
Filesize
17.7MB

MD5
735d3799fd5753ac9d2d185ada2f2d7b

SHA1
8616040ca263c5dba8bae617ab89bed5cc81d2b0

SHA256
b3a5e49fff3dff3bbe92e4b826e6f78c4c064ea6057fa8220886fd3f0ba80689

SHA512
e966278d2dc21c8631de232518269853990ce8a79f49204ed6c781a20528653bf28ba189a95b6d46ab54799aeceee76559a717110d4eb647ed29f763f0e663a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\2A2858AF962DFDD41C4223B7B9B1890D806D7FFB
Filesize
16KB

MD5
ed26365f04feecdb76117ae06208b068

SHA1
8065b80dde493526b09143879217a0e3aa57cd7c

SHA256
396bba515fcca5dd17bf99501e897cdeeff4b3f905a8e1166ba5e1b95fb2ecab

SHA512
b00970cc9a1f123a1e81c6874d6fcbe2b45a41985f8b1a767e390c1966718f33b32bf6038a179476577799623807ad900de3dff1506d63cd261287ee514b0b2a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\35CC20089037E781BD6D558B97E39F2474C40BD6
Filesize
15KB

MD5
76db0e54131adcec26524626a8879947

SHA1
7beb725827d3e68ce8a7c343f537374722380bbf

SHA256
79d47b35780b004c40623b6f101e93926ef209c441c1233a942a57b8b42ad833

SHA512
6f48de13d8e1bb3a56386bc29552243a4d1b0c19a592a6ed7e7d2c4a3ac3894cbaa0066bceee2334b58956cd045868446b7f171aafa1d2abcc2250af3e3405d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\3639DB915CB6F1586C1F2E714E80E54A707E0A0B
Filesize
177KB

MD5
e295a4eb37ad7e55e633cf0ae88f9f72

SHA1
c0dddfa741f72c522cb28cad7c7bd49eaf7289e9

SHA256
ac777812bd8c96bcea6acade8f7ae0cec938d6dac0c95f44693b46488737e066

SHA512
cf33d8a99d534cfac78b8c50392a7d2fe99dce6352d3aba621ea33485129a72574c306ab7b882423eb14825f0da522db79e811217aa250d61bb482fd45d28d3f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\3AE8A7630FA301F782F91C341869CFEB9C2E9519
Filesize
16KB

MD5
5f48e695257ddb5b1917e361b5f13138

SHA1
afff7567d04015cbe3f278d8090895b0bcc62ecb

SHA256
888c2b3aabc1e22a373e1ac070f9be211149b8f10c4188daa0c115e296fb9406

SHA512
978e5a6fd06095fa15285b4ae34022ca84904f30c44f18fca3e611c4341a4e29bdd808f51c3f562da081203edc67eef7003151560b74529de0435f3a124a3b9f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\433A6F228D60A54A681AE827C6F2C9517F9A8C25
Filesize
141KB

MD5
622d300a7378fdb79ec0a6d8809bea4f

SHA1
346884da4e3e074c8cb2475c12d33876b1dfa5be

SHA256
d9b40a849a5fb91f39e1284940035d6d168009eb0e813056f1c9955d2d22c0a6

SHA512
f321584c04561872d8200b5ec43633b0a8d7dc6b21c58948a09041fe51b660050a9e668e979811ac75d1565d56336209e6e72c95f0d0259cd8df8913eef975ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\43AF6A0B96B65E9C285379BBE64C9DF77572921F
Filesize
1.3MB

MD5
1c3c0681bab6f4fc13e11498cc1cbfaa

SHA1
d35e518ac1b907a6a3b8df2831f8ae7d8c71aa4d

SHA256
6a12f8e61d05f15f6bf02e47781316f9610f8b7f46e56eec62006c91c17afddc

SHA512
fc4df35723bce8d6b5408db7e7732e32f89dddb3bf14e06a59d3dbf5f3cd0f95bfe1ec2456e773511b1fd98c36bf56af35d03872895d97c6721353ec4ced02c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4
Filesize
1.1MB

MD5
6e7c396ac2dbe3490d0b2bbb4eaf24ec

SHA1
29c46c824c2a63e3213eaeaa4daa0296705d7304

SHA256
b8ba6a1e8ff86d0983c02088c57a9a58d45e9410837b0086522c9123e27513c3

SHA512
e35acb9b13c15bccb68571e0c129fdc75f4207249c28c9813fdb0f01b0d0241c91b388947da53ae939d7e94c7b5e178a8723c7a2f2ea195f01d869648ee3983b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\483C26C5EB9CBA8F8DC58D68D0146414CBD8B1DF
Filesize
62KB

MD5
eb4dbc7035ffe9da6b830109f29ba3c2

SHA1
c47f5302dcbdf04fef6577bad83959aef365bbf6

SHA256
b03da70939695547461fefbb301226b636747fbc026ee514db2e2f099524a0c5

SHA512
92f4c06b7609db94c73746c620a86a398a4300d73e030b95a55d06053cd0cc4aa957045d42833c78cc446228f28e517b075de4be69d135b95489a12601978898

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\4C7B6F2CAD8B3C17C2BFE488FBEA72FE061AE34B
Filesize
20KB

MD5
e692ec80feacb8f679898a95e79604d4

SHA1
166a6524b8f1cf4d3a7b281ad2d153b0bf7a86e8

SHA256
f046c78f35aed3324f54aafcc668d0814df0b93a39c5c04925d04fa4d75e854e

SHA512
67861bd0a3fc460a6d566339532779c8dd5d6c59c281fe48825d3c3dbdfbc2f6efcfa17881c3f22779253f56277694e68497ff554db2cffb00abc934147b829b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\5524427E76785200FACC0DF8A5808E07217D7E24
Filesize
14KB

MD5
ad0c1e341c9f1b246193dabe3af1b86e

SHA1
e1137dd3a72bf45e6461cd3c134b2e40e2087262

SHA256
f610174e51c16a9a4b7359932f5fbdfda70f11768bd7b4086015727f8c118bc5

SHA512
31ceb941bcf057b3991b3bae6f6f42ea75b53ca5f2102dfe1c05d54d9d1411e48d68a2d3ab55dfea48553c91f9ac7043758c2654dbc1984424f298594375e8f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6171C3DCD3501947A8FD700724EF6121B8CDBFBC
Filesize
13KB

MD5
af94d81af8736ee41d865c3f68f5d24d

SHA1
414465d6b78197d969122d719e0c6bbc6d913c02

SHA256
daf274b97283c6b70162e1e0270f18e469a7d7b45fe756b1eab4c46c03cd4ff6

SHA512
2e937f8b124e0d02fcec955c8e7da140781ba0f750df83049a2426c12339e0e51096889b985e7b0e6595c5d6e0d35f7514da2ba301a531454db5358e41898a63

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\64734067DA3FCAD3A190A95377C1AC95EC2B62AF
Filesize
314KB

MD5
2421e0defd261524fe69c31bd8127abd

SHA1
b3969ff9a2394b5f346183fc6a562effd0d385fa

SHA256
151dc853300e40562085a560f45ca0af97e503c8b627082f56f4613093e9d304

SHA512
772201ac8d16495e4e878ec41a98d6b125b6aed8aa9f9a3127effdb014243fd84310b1c21096004b63d44c455c4668470e09177a036f00c122272fddf17f3e18

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\65A8E961DDBBD55EC04CD308B2503879B755B039
Filesize
93KB

MD5
57bee4e8cdf8d245eb49f232a26c2aea

SHA1
fcbd8f65224fc2f12968d18ed594ca8ccd92909f

SHA256
28a4bb90c0ed0a9658b0ff6acd830fd3c8359ffbef8be39f1be2b5226f177116

SHA512
b7b18c272e1a05591b5dbefac6035c12262cd423528bc73d141100c3895b636dc02f2d1185a84740eb450a6f2c8450a8295028b81ed1ea62c6ef49be141da82d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6718705F52A6665651669F64F054BCC011C4766A
Filesize
71KB

MD5
1cfe29eb028f335383d7eceeda78c06c

SHA1
b05c73921b17bb811c9a8e74ba5429739314dbd2

SHA256
4e4e8a978085782b517eb5d19a71afc5974e9d15c2c543caa06ea022dbabb886

SHA512
7f5a329b2d4c3cb942cecdefd7953c3944ec1ec4c35c436281224118b63b656f97c316ef7f918d48be85dd380feb28dcc65b98e2cbb728f8b1ec5f7d1360f103

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\78C5602AD9B870C6C4D381677456A348D0186FE6
Filesize
97KB

MD5
098b76a2578b299f34b52f58953fc3d2

SHA1
c135bd30d9af78208a3e00cb5ab91c83d04dc9c1

SHA256
7b42b1042354ee932247e7bea71fd7f2494467adc641fa60e43ed085f6e7ce06

SHA512
e7a8d827f43b7607fda52291e6e15a0a434fa5ddefb19e1e011b706f50312cff7998a3765ce07e778d096ab06f8b3c6ce314c6bec63b53f51c0b342304aa4af2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\80E40493E66F98650D12C73CDEFE29BBACA89328
Filesize
221KB

MD5
b5213215848e520a7266b38c4abb9bd3

SHA1
6863796a7825fd993e5c0d604514792f3b81c91c

SHA256
a6bedcc441cf6b96a6b650740e37b31633d9eb2434f747e68639d9115e50e9d8

SHA512
478895c52b074caa2ca854d6026ccf6195cde1cab387dd09b5dc70151a426ac6cad4e98fecf92b75b057c8b1e1c1bf48c29f64f920bb1e4b0658b29d360e932a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6
Filesize
97KB

MD5
f8d5d346ec8bf392622979f39a604b71

SHA1
4aef29ebfbc8e2ab2dc028bb22a64a66a851e0c0

SHA256
6e5b4a7b405b27185e8bd412afc12daadab4c777abbb129be9d950bb238cf283

SHA512
19afb963b374e5754d0f5071dd444941230b5b7c3cbdbce76c7b887c823282b447a090ddbb112a78590c5fa9d60ec780a2ca9eec0574552141b19f465df8991d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\98AF737DD946CA3B37F8CD63EC1E1756F57F2E19
Filesize
68KB

MD5
18adb28b33b3bdebda4467d91b36a3fd

SHA1
bcb5f34fe02204ae23f8b327519a38fbabcc707a

SHA256
237fe930c3a2f25c18276e3be4244784ff83b3989eeb74fd650f1f7f8a15e533

SHA512
df56dfa8dcfd21d852e5e8c99f6fc8512505d622f9340afe3ef6a9244257cab76296b2d697585b299a6efcfdb902268824fc4468e6e7898e46c0311c9e072878

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\9EE19E38B40F86ED1D63A1AB272806591D4C7415
Filesize
182KB

MD5
af59f0578f5c493106705691916bec22

SHA1
92b29a52b175aedd7831dd261ed289f9b4ed2178

SHA256
c2dea59213ab4c7e6fc6d0c6015551c229f6a883f06fe7f413e501a6e02d810c

SHA512
28ab274f6c70e012de1b67c35f40f1684ee9897cfcc131a5dbb9c93dc5b1a455627bd5efd52641c15e35abf5c6a2a4511105fda578015920c4f279f4c800f6b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\A54BFC018A94D8CC549E6D8738E8DFE274855EEE
Filesize
23KB

MD5
bc82b1e40da7b5f359074b02bd961d9a

SHA1
e3a9aab1a8f8d9cc5f4cd4afedefbd14114487b4

SHA256
d43b89d439be419a2f74c9169399b478074c7dedb9573c066ec2023b73e75e41

SHA512
6a482437ccd77c82188dc66f01bfba72044387548d97fa806d8b9f5084e79794843669a87df7a9ec72b865c5e42e3dca864b0fb4386a443991e23f87563f2e8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\B02CD1705679E135A9D4633C85B218F56B1443BE
Filesize
141KB

MD5
9039d51f81f751b142a29816584d11a1

SHA1
bbfed2893b616760f01b62e47be7c4bd5f64c1e4

SHA256
cc817476e52f84cc5f7e250952ff0de5f3b17a8713ced0713e956d8ce73da553

SHA512
7230436ed9a3e769bafc61a6ee9496f2e4ba0d2573e6c94ebc70912425bb8f75917215fc25a4cf3cd7b5065f9776eba1dce67f96361e9aeb2445bf69dc797895

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\B8953C9CE846AEF79A17A09C295C86EA92208F3D
Filesize
17KB

MD5
72cc0a38df2333d050e1461c196cfaf0

SHA1
fa16baeb4625ac6426d37c9c331aba684d1ea2a5

SHA256
ebc7c5042d8eb4c3d7f2b70e08580f6ca6b382c7b5e01709e04af263421577e4

SHA512
c77db1e703560eb8db9a254600b4ef83edd0a4dfdcdb6b9ed065c11436063e5bc8a4b3597d729609a70c8802e82c13139246636c87ad8e6482a6b08cad76fd7f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\B96768AA611E503789F9CEE1104C53E5C3C03AB6
Filesize
34KB

MD5
3145b32c3621be3c5f66692a01f7dd48

SHA1
52ab9e23397c0eb8d616bb2c9848bfafa8e36f4c

SHA256
33dbf49bc8f2a35d154ebbbf8775590afe3b909b9f2c5de97a0035334cc0851a

SHA512
b0716d06b54d86c11b22f4ffb5caa03c0fd085c7c0bc54ba0f4635c4a85b13b1313211ff50f3aabdef5e2b00b09be193c79028709a6cd778163b04f9fe377aa9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\BAFE7053257E4A6F92E44C444D766B2BD718F658
Filesize
419KB

MD5
55908aaf3c6503c94d37a3cdf7dd2f44

SHA1
7f3051cfb0204cbe2021d2f45997b3f27dc7fd5c

SHA256
15549a9bcc6eb059dd8f5da2efceb9b1a24807146da1a764fe623d43aa26bd25

SHA512
af8c22ce47c465d81af52b568d14b461430db7ec83ec5e4ac301e69317960f5ac88bf8bd80b35c4e815243f788b22a550df4032b9204c8a647946735c5f93700

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C1234259433041439C0EC369577090FD96131995
Filesize
563KB

MD5
4bf1f72d4460cb0ba48fbb9a0c260876

SHA1
acad3d9488c52cc8fbbc3ce4eb348fb272a3b412

SHA256
ddd47ce3c9810270ba906e30363e13ffced55d9f9c9db40740cca65f81a38d33

SHA512
1409ef2c4846d2c688d234ff69e1fe8c997c79a07754b6e0c007696178ff192b53bcee02be7fb3eaf1e6018622a05e66a9da04e9bf4e5d09fe3a6236718f2b48

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\DC9D9F0C28D6EBD1ADC348DC29248B1D4BA307F3
Filesize
13KB

MD5
514b3d4b51b856a3689429277e2cdc30

SHA1
143ba589ac45d2e0fe5576315c81f725fd56649c

SHA256
51846425b5704db521157a2bc74dc06bf3d7abf58f71d97a0941d2785ed662f2

SHA512
b98d3050ed8e3efc22347ad304de0fde03401922f02362a22c66accd59b47cd21f015c9252eb14366e6f3a37c53c1d7b26f3b5694b5d2376c4d0c00f26608393

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\ECC8DF1F2BC16594383DE0F9FA30C28F2AE61503
Filesize
600KB

MD5
63058b81e36ed8082102bb772f0ba389

SHA1
d76022f872f5e5f52aec9de403c5f0df0ee896fd

SHA256
e0eb572d8a13488af5d5d131b364a2f67ae31ea0fb29b379980e478bf0c7bbfb

SHA512
3519a59d731f23ac2465321a7a2963a1e159c3312c4d4a86436fc4ae439867ab0a8eb8cc3f0356f097eac3add244c14fda02ca85d6819a7578f5f5c949c476a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\EEDE8538402212B7A81E3E4AB009C20C0301B3E1
Filesize
89KB

MD5
bb9a6d12c3d7d7fa9f4ee27e26699a9c

SHA1
4dfdf362eadb9f1af2d74110dc974db686854280

SHA256
d499661e04c436478f4a70a45061709f7d0b749cd1574b14112ee68c6a771f48

SHA512
0c43c28b218630dc010b6aedb89bdbbc2c7e20b9b4032ede329dcd56241cb8bb33cb1bd5c7c9017b87b93da835dda2145e704a1855b81b33385ac9e3090e22fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\thumbnails\447c1d819532470f427483b5c2ad32a6.png
Filesize
103KB

MD5
296d0fe2e7e2229ec40a58e140d4eed3

SHA1
1cfac0e4bf716026d365b640c6daff060df5fe16

SHA256
d6d95848cc6fa777003b9716fba91ddbf855dd8e3d217c68fa77e17005b16575

SHA512
960882d409b7bed6bf8202fa8f8e007032e365ff23eff1b5b5d3fa49ee97900832d021d9e78b9c7d418b2e36e7899c82445ce2295ec0841819f95ad8f98f1277

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\142113c5-f445-4d40-8524-e968109f3e15.dmp
Filesize
236KB

MD5
39a3e453cdbcd9def6dc448a0be41b7b

SHA1
dce44345228b6d6ff318205a9c575072deb99f44

SHA256
27bc327a670f4f34ccf9b354f03b3e203a2df2faee39f0dd5c8484c78bb5d8da

SHA512
61bc5f7f91cfca1f715061671700eebd7b9e47f137e7c48eea968fb132990ed60d936dc5310eac20345b55b79a4b72e6105428b7688ffd0bd861ac8708b611d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\142113c5-f445-4d40-8524-e968109f3e15.extra
Filesize
12KB

MD5
c573fbe0abdaa3f7d1097c9f5ea7269b

SHA1
03807df7f79c5face7dca93594c32c76df4e41b6

SHA256
d1bd8ed7d95cbf8c64cbc51e0632b278fa1a386c9494a8efa23f3621d6a14a80

SHA512
3f375cb741f8a1a7e063aab1b8b6c5ca2b56c69d3abe9aff53477b4ecdbc9980e02fc7d201a259b9c70ae17fa8fb54a0e1cb5e1afead25000e684b0ad90777ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\142113c5-f445-4d40-8524-e968109f3e15.extra
Filesize
14KB

MD5
bb6519df4c607a31e9a075e29ee02b78

SHA1
c5f7c24405961819370918c542e449a44e65b572

SHA256
d76a36d03cce0dc4902bc77ac77d55f84f37bc542b92765a7c268ad533d87ba7

SHA512
df389dcdc307669c68b0b96295925e865bddf55a7df053347f837e90be0103d1c0467f235423235f33c3615ba2595100f5fa80b76d47c2ad995c5fa611a70300

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\crashes\store.json.mozlz4.tmp
Filesize
6KB

MD5
b29abf18a739488179d64dd545e69545

SHA1
0c04ae8384f4dc9bb9ebd60dcd0076a74b7a71ea

SHA256
44cb0b32128eb45d963a51468c6dd9b6d60ce2de5dc380ff1f3c62931bff600e

SHA512
41699593306e17f985ca037264d07d8ed2a1e798f155e2a1489c51f43b382b63f8dda8a45bc11eed14cfe78eaea6f7b4ba95c018503f8d7c7e8f3abb63c28ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
eacab28c000bcf84e5f6bbaf01d1949f

SHA1
ac786427ac4c91badf8a9a9f914640f1c10f455e

SHA256
98024583baf303ab66ae71b7dec16c4e9507764a60855f9f7f4e086edf5d067c

SHA512
a938992c4f32b9111874fc6dea34ebc2267e53442891e5577616a18081b1f03c98de7454734e843114915db754bb415c64e6398c118f00fe2a05ae33f7ed47d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\4bccfa56-1e16-4cdf-9f88-844a0739cc32
Filesize
746B

MD5
28eb67e654375e0118bedf885383cb70

SHA1
c51f18963992024901c8c7b8d7812911fcf7bf8e

SHA256
e04e9a37ea47a4b909906d91e8cb061125cf81e0edb4e1184c55d49fa54e32d1

SHA512
2fe565614391acf064ca239083f8f9bc5a563537db44b557be21d9864907c62a29e1a823cb4cc296078d4d53b1cf3a5892fc58713a36203482a764dd59a6f4bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\bd247336-1297-482a-a244-b59bbaa1abb9
Filesize
10KB

MD5
bf2cc38b4f4a1094c540fada35281100

SHA1
8ffea410265ed2a221074096d95e0162f1d4398c

SHA256
d2aaf5a50d89916e90d73a956a91d22ff128fd340a425ba3b2f3ca384a49f06e

SHA512
dc19678e356273e5006ebd73954f17aeb1e9cec96564199afb65a5b27216f7f5ac7d2b276569e592bf9639e38f2de9848332e9d98da48e2103e29984fec59d74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
Filesize
6KB

MD5
2cec38af3be83cc2bd55611cadff5dfe

SHA1
6c9ec73d4da2bbe4848c237b874656ecae056e4a

SHA256
1bbf19a773ac5ac36012757865671b1e0f54139e6ab2903f806a5866e7e2ae35

SHA512
e53f66d9a69cec4475751a8c44746eccec89a4110d3328c50909d9131ab4047a810ec136d45a8f3b18ddadfffa535b5f7deaf01d10e11746898a70f810b9789a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
Filesize
6KB

MD5
912126c52427bde2136228b570c4afe4

SHA1
b6c71efb77cf60292ad9fa68d63d34aba4c759a4

SHA256
788de2808f919640fcdbb1ced75f8b5a5eb06c3a9e6b8a778184f97fc54bf2de

SHA512
d41017da530e7f55af98834df565630cc12e5d2a635aeacac7b74b3c73a6517fbf006481e159882a4bcdbcd5015ee1a1d91668544ab1b56ba06f658ce123688d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json
Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
26KB

MD5
b677fc845b063f7f3a2014f37876b0ff

SHA1
e584461bd4eb5a4d95e2f76e53034e38fd2dd64f

SHA256
cf8426399d7f11d3c7942cda463f59f1f21a8f0d15c6304b4d43c19e95929449

SHA512
58f485c8953b29bc538aa427f79bc49260c4191162975d9a81f7e0b5dbb288f43063b23b6018d41d0294ccc68b985c6dcf42f4062f2eeffabcfbe1d8814fb597

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
39ec7289190e6da32d0afa6cd85a9eb7

SHA1
6a6cb9f1689c41ec5c26d31fc8fd4269443bcd67

SHA256
cc38de7c336001625cfa5115c659195d325f7a0b11409b848197acde198c3a9d

SHA512
66058ce606131ee477c5bf70b1a5737b109067887bca3bb32d2aafb4ba2e68cd3734e1b1ed9e3ae54040b81f2bd6bbbe95d239472623ded9e4c05fc2758c5729

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
6b0adf81917b1684ae09108503dfc8f9

SHA1
6e808b0cc96d42bd47673aeb09e0e437e8fe6a7b

SHA256
fb17c296262b10a2a7d84e8ffe55d19972fd7a1977b8d6e57daa2f82e11c7cc9

SHA512
a2f075023512e0a470cb2757a144a901220b0c9a5f9deaf965ce88e1b11e2b8123fc7e3b8534b4cb9b2f13cf0d64a939aad0bb34d4aca3c4fabb8581b3d5166a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
f5b7e4ec60719347b56f614a0886814c

SHA1
eaa7303f5b5e754c6b26ac4d1856adceaa3a7771

SHA256
501323e597450a1ec294830f70c96079e6415fc1d391653ba73f33d476dca501

SHA512
f41e8f63e5ec7e34e2402093fa8433bb9c40cfb1d85553aa279ea4b5b1a4cf6c4ce256d816ac37abfcf72fcdf076043a223a71bf729e5c9dfa7fa0b2ca634e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
7873a92f000515f53c7594d3e10fce90

SHA1
c7564bc16c301c562ded556d88a2f8508071319a

SHA256
3a864db1602b52f7a60c79fab34f1b072acfa47c17ef51e61454de433ce7bf69

SHA512
9592d4feaa7d585ed59d7a0084dc67635986def03aa428decbd4d4203472152bedb566adbd5ba77c7c1d8131d3bfbc206016be2518e8df50f18d21b56a0b88a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
16KB

MD5
d7ab9fda85b6fa6877469144163353b0

SHA1
77e5f61681bcc70780e252d5c7e0dff7f8221c42

SHA256
4bb221e8c5482ca8b653f718d354e59f3c59887031197913b187c41b1d7d20bc

SHA512
6afd31703091ef7b276a725e69979ada6d93bb12fd4a0dbf375e2976c6a324de53c5411583b9bf4795646e7f20d69dd3e50656c0e08c73b1007b8316f0c4dce5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
fc232dbf65031b016964172c5121b2a3

SHA1
3b81534523f1694ca495ebf861a2ea8bbebe821e

SHA256
bb7c86a809ce37c4ddeae0a40a55b4fff75c1171052d9ac60b5e20102b7d0cdb

SHA512
3bf361aa3c2ba634519aaa94cce437a9bd6332fffeaf18cf553972a7e0a00718a9c3953391b786fa89d0cfdf741df81712743b4b76f2c96c1b57f4a645968984

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
5c1e36e2e8e76fa8b43b408d114946d3

SHA1
c781388bc2fa950cc848066dbda6fdc4e13faea2

SHA256
5903c34fe271651097a88caa65f2dbeaa105e9dde3ad88b34a417972a20bf93e

SHA512
9b9b163545bd3935fcc4ac3042dbd0daad1f9ae9ae8a5990a98c592751e7156d553ca6612e108ce515e02756c44424166dc61e069df3f75a87440c8f5708528d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
16KB

MD5
f1392e44a0a8dd7fd7bf8e20dbead4f1

SHA1
5f33e579e5de514774beff184403204a4ca38466

SHA256
316e47ee1ac3f0d56ce6d95d649d8038672383e2e15538fee98a0385693c276f

SHA512
bda69ea95aa33e86d74768714aeb9e75d07d0fac9523403a52e366000de56a3fcca81dd2cdcfc20cffa32bd049141adc788ed8d36b797bfa14197ab5a46e6732

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
Filesize
25KB

MD5
c415b12a9213b36827bf63106cf2f716

SHA1
ed5489cd0690b467ae98369ccbcf8f5e9130dc60

SHA256
fa9dd2938f70b3ce0935058347b29d2074e83060a7a13d36854b6e830ecde635

SHA512
53e0966a734827cc74af855de132a044996976af0a0cee4f3611d982616e8da5c496856099b9d49c97d706c91018ffe8fd88e021dbdd61d52f77190987fd17cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
C:\Users\Admin\Downloads\AFMsh1et.zip.part
Filesize
601KB

MD5
fad8331f8d223efe8a43e372fa58b893

SHA1
179e72e47223c64350397523367e00b97bdf1cac

SHA256
19410d558618b6cd8f0064081e5aa83a340e32b5d81df71095c5c7b992da8ec2

SHA512
3b20866c799d89e0475f7d6636306a0c46b7b2d9c8259007fee5ee5be8ddce4e847fcda492ca9da379ed742b77a03fbbe828ceb34bcdc946ee334163da78234f

Download Submit
C:\Users\Admin\Downloads\document\crash_overflow(dont run)\spam.cmd
Filesize
200B

MD5
88c5bbdf499d6b6fa7cd97da74419e26

SHA1
71b359b0c10b74ce8db6de212fd7e10577d236e3

SHA256
e1e14145fb82e967c265948c18bdd222859eb8093a6167510a06e61f33f044c9

SHA512
c723f24202d2777c89bb723f3508b270321260ec9fdbcdd1ef394131404bcf41101518524ae752520152015f9a0e383a15146c2e84b726c875a25ad13f9fdad1

Download Submit
memory/1280-2281-0x00007FF6CBF40000-0x00007FF6CBFA3000-memory.dmp

Filesize
396KB

Download
memory/5260-2275-0x00007FFC05F50000-0x00007FFC060F9000-memory.dmp

Filesize
1.7MB

Download
memory/6076-2270-0x00007FF6CBF40000-0x00007FF6CBFA3000-memory.dmp

Filesize
396KB

Download
memory/8736-2278-0x00007FFC11730000-0x00007FFC117D1000-memory.dmp

Filesize
644KB

Download
memory/9044-2272-0x00007FFC05F50000-0x00007FFC060F9000-memory.dmp

Filesize
1.7MB

Download
memory/9052-2277-0x00007FFC05F50000-0x00007FFC060F9000-memory.dmp

Filesize
1.7MB

Download
memory/9120-2282-0x00007FF6CBF40000-0x00007FF6CBFA3000-memory.dmp

Filesize
396KB

Download