hxxp://Windows 11 21h2 x64

Resubmissions

03/12/2024, 17:05

241203-vlt42szngr 8

03/12/2024, 16:45

241203-t9tbzstnfz 8

03/12/2024, 16:37

241203-t43ngayqbq 7

Analysis

max time kernel
366s
max time network
338s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03/12/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Windows 11 21h2 x64

Score

7^/10

aspackv2 discovery ransomware upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0002000000025cf5-1364.dat	aspack_v212_v242
behavioral1/files/0x0002000000025cf8-1375.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
5616	CLWCP.exe
1900	flasher.exe
5032	screenscrew.exe
1260	melter.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper = "c:\\horror\\bg.bmp"	CLWCP.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-1212-0x0000000000400000-0x0000000000C40000-memory.dmp	upx
behavioral1/memory/2328-1367-0x0000000000400000-0x0000000000C40000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HorrorTrojan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flasher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
3536	timeout.exe
532	timeout.exe
5960	timeout.exe
2060	timeout.exe
5036	timeout.exe
4164	timeout.exe
3324	timeout.exe
6268	timeout.exe
1904	timeout.exe
1596	timeout.exe
7156	timeout.exe
8136	timeout.exe
5632	timeout.exe
6032	timeout.exe
324	timeout.exe
7596	timeout.exe
4696	timeout.exe
532	timeout.exe
6660	timeout.exe
5940	timeout.exe
5184	timeout.exe
6604	timeout.exe
3440	timeout.exe
7680	timeout.exe
5504	timeout.exe
1620	timeout.exe
3232	timeout.exe
2296	timeout.exe
7036	timeout.exe
7128	timeout.exe
3012	timeout.exe
2352	timeout.exe
3712	timeout.exe
6108	timeout.exe
3032	timeout.exe
5228	timeout.exe
6828	timeout.exe
6988	timeout.exe
1948	timeout.exe
1000	timeout.exe
6128	timeout.exe
5800	timeout.exe
1044	timeout.exe
5456	timeout.exe
5336	timeout.exe
2200	timeout.exe
5892	timeout.exe
6188	timeout.exe
1156	timeout.exe
6076	timeout.exe
3088	timeout.exe
4124	timeout.exe
7748	timeout.exe
1664	timeout.exe
3364	timeout.exe
3968	timeout.exe
7912	timeout.exe
3608	timeout.exe
2168	timeout.exe
2452	timeout.exe
5640	timeout.exe
5540	timeout.exe
7516	timeout.exe
1504	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	cmd.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HorrorTrojan-main.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\Bat To Exe Converter.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2280	msedge.exe
2280	msedge.exe
648	msedge.exe
648	msedge.exe
4284	identity_helper.exe
4284	identity_helper.exe
3716	msedge.exe
3716	msedge.exe
4960	msedge.exe
4960	msedge.exe
5512	msedge.exe
5512	msedge.exe
5512	msedge.exe
5512	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4628	OpenWith.exe
6016	OpenWith.exe
1604	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	5448	firefox.exe
Token: SeDebugPrivilege	5448	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe
648	msedge.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
4628	OpenWith.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
5448	firefox.exe
6016	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 4048	648	msedge.exe	77
PID 648 wrote to memory of 4048	648	msedge.exe	77
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 1296	648	msedge.exe	78
PID 648 wrote to memory of 2280	648	msedge.exe	79
PID 648 wrote to memory of 2280	648	msedge.exe	79
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80
PID 648 wrote to memory of 3120	648	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://Windows 11 21h2 x64
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe8bbb3cb8,0x7ffe8bbb3cc8,0x7ffe8bbb3cd8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,2870017862141040577,15228773060637178339,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2588 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorTrojan-main.zip\HorrorTrojan-main\Bat To Exe Converter.rar"
  2⤵
  PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorTrojan-main.zip\HorrorTrojan-main\Bat To Exe Converter.rar"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1588
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1876 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa9b2ed8-6ae8-4a28-8350-55163a3ba4cd} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" gpu
      4⤵
      PID:3264
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {205b46ef-5db2-4fa7-9db9-edf9b742f893} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" socket
      4⤵
      Checks processor information in registry
      PID:556
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3160 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f04573a4-c308-4cde-9cff-3a35d55fde3c} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:1156
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {089c6d1f-5306-4a93-aad2-6f4419cb89b5} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5032 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5024 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77cfd46c-8524-4fb8-a35d-3120398b432d} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" utility
      4⤵
      Checks processor information in registry
      PID:1904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b14d9e7-1147-41ca-8030-11026b3a5add} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:5068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee66436-76ae-47b6-b1cd-ee8b100c51d4} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:5440
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5180 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b98f43d-6676-4c1f-8388-23eea7dbc733} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
      4⤵
      PID:6088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorTrojan-main.zip\HorrorTrojan-main\Bat To Exe Converter.rar"
1⤵
PID:5472
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorTrojan-main.zip\HorrorTrojan-main\Bat To Exe Converter.rar"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1868 -parentBuildID 20240401114208 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 24418 -prefMapSize 244930 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a83db070-deef-4fe0-bc93-3f1ceb2e0369} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" gpu
    3⤵
    PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2208 -parentBuildID 20240401114208 -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 24418 -prefMapSize 244930 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d89971d-dd54-4a55-b3eb-185ddd19e08a} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" socket
    3⤵
    - Checks processor information in registry
    PID:2304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 3312 -prefsLen 25801 -prefMapSize 244930 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06f980bf-d774-4f48-b2ea-431483fbd8c0} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" tab
    3⤵
    PID:5164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 30150 -prefMapSize 244930 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec803d6-6f16-4757-a0be-a93e318f038d} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" tab
    3⤵
    PID:5180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4504 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4540 -prefMapHandle 4572 -prefsLen 30204 -prefMapSize 244930 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc9aad51-315b-4a8f-b030-e68b0cfdd238} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" utility
    3⤵
    - Checks processor information in registry
    PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5260 -prefsLen 27721 -prefMapSize 244930 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be865c18-9ad8-4431-9add-60b3c6dc43ec} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" tab
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5324 -prefsLen 27721 -prefMapSize 244930 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {979256fb-4898-4079-9248-cc786d768c1d} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" tab
    3⤵
    PID:5140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5728 -prefsLen 27721 -prefMapSize 244930 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {433021b0-a596-416a-a503-26868c23486a} 5448 "\\.\pipe\gecko-crash-server-pipe.5448" tab
    3⤵
    PID:5736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6016

C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorTrojan.zip\bin\HorrorTrojan.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorTrojan.zip\bin\HorrorTrojan.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7A90.tmp\horror.bat" "
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\7A90.tmp\CLWCP.exe
    clwcp c:\horror\bg.bmp
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    PID:5616
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\7A90.tmp\flasher.exe
    flasher 5 c:\horror\scream.bmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    PID:860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1156
- - C:\Users\Admin\AppData\Local\Temp\7A90.tmp\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5848
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5632
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    PID:6000
- - C:\Users\Admin\AppData\Local\Temp\7A90.tmp\melter.exe
    melter.exe
    3⤵
    - Executes dropped EXE
    PID:1260
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3848
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:6032
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4100
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:332
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:6076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3088
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5356
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2200
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5588
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1904
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5036
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:764
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1620
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5228
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5800
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1044
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6108
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4164
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6108
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5404
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1664
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5456
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2296
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6428
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6596
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:6828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6904
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6988
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7148
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:7156
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6180
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3032
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6336
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6344
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:484
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6832
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5640
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:7036
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:6188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6304
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6416
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6424
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5988
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6740
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7044
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:7128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6392
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5540
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6876
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3968
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:392
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6268
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7224
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7288
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7296
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7448
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:7516
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7588
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:7596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:7680
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7740
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:7748
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7904
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:7912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7988
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:8060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:8136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:7276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    PID:7284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs"
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5f61719567d2a6c636573a817996eaf8

SHA1
bf36adc3e9bc6ad0f0728ecbaa9e90a16b194d99

SHA256
13469cac626252ec9727959d8ebe2c1c458d8298a4497f4d06df57d05aba8504

SHA512
a8e009eb74f50761d3c90ce1d85bcc3a2fab627cf5b7d7bc3ce7c57833bc5f0674747328378d251a0337cebd175ea3806baf6a7a3bae3c85a6761d2064300db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
934B

MD5
6dd33cf534dc756ead1e7843e12ade7b

SHA1
ad2ff36fb89824ec39a586462f1acf02353d556d

SHA256
fef1781859cd76e11d59aad1b66ae157952e16e5ed707953783e22a49415d727

SHA512
bc5392503534fe3f1a9501537098e8f97a82525d858a7328956368d1ced5bac966cafa70d50b5f52ea272f4d29632bc203efcb2b98741ccd0c90d2caf4888677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
934B

MD5
d8117a3390fea80fcbf558c2266b458c

SHA1
7fabf93ea0f4f6d16eaeb1d8fe938e70917383f2

SHA256
3ef08abff84c8ce236317df688f1fdb6c9c0d572d6927b8610002aad942a06f9

SHA512
34f13e22b10dcefbb4c5a5a8a943ac91fc4b5551c74eaf34c9178a19effd3499f7b1c34dbdba09ac9db65c91f8ef2b6e987c1b9daca624abf1877edd5925a212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
502ad08ba6e64afafe3e9acd0b9f44aa

SHA1
bffdab301023d5bb2b88a63b6281ce19e2a64199

SHA256
dee3a7822a94999248d1069584752fb852838516c8c610ff49504b567d00f11a

SHA512
bc9e36908853f9f137161d424f80dc0ebb52c10ec5ec1fb967a06ea827d660420e873359ce7934dc0070abecec6fcbba5dae708e4998398ac59dab3a2990a187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8873d08e0751d6ff3d92f816d1870374

SHA1
0170932c233e4189d82af745b33c398c08d70a76

SHA256
d2f18225cf8db0c580e91488916ff8dfccc3e745774c2484652b46b843f1f3ec

SHA512
8685bf2956eb5c221c7e0e57d9423e305936b6735d3d8e29aa4780eb1c757e04b2401e2478bb2939037ae398322773eba4d042362e6483cd086c65fa86e886cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8dde63f1a87862ec3f50854004c1f730

SHA1
cdbc5bdfb3fbf79f3573fc742bb73a54cd05c0ee

SHA256
7deacdc7272460df918fe2729853b97382961be6198edd402dc26b2d2915ac00

SHA512
a08dd4e914b38cde3cbee22a67e6a3e6496ec7f54120088e4f8550a21f373c17e5f033c9dd4518989784ec4ff8c45302f3311774814baebb67bf00a5e15dff2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f013fcefcaa63f211c4d2c8d9d6f10c

SHA1
af340c9ec0b091291eaa182566702e49df1fa5fb

SHA256
ce04da3ec5d8a35c689d0cb2aa938ad2c000bff57eb813390243fa86429461d1

SHA512
12184502abc591694811098a8463559c6a17cdf76c9be5521376595c20cec9b41871b29675b8daf8edcc5ca4ea0a7227790edb42274db9070554efaaabcaa960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
460a08ff80af46c0aa81be4a436e045d

SHA1
2565bdad88a31b04c87c3cc7593e8f8ab79357ae

SHA256
2436f440c605183386049150fb2702b98dbecfb1a72cc2391787572fabb49ac8

SHA512
f1a58301b855ea9403d8603ff7bc55afbfdbb09242e599ac1be294a632fca1bf440d6eb1db9808634c10b2df78bd088dcbdf00269b3f73038f50c1175959acfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c1e90e27b8839d3280f90a1237b2a792

SHA1
023955edd5f7861619b400540b2f22e302c8d031

SHA256
68a5d90e37fd916f0587720c7eb42575b1050e60977e0f46c5704fa0b955b4a8

SHA512
321110af77b4cf45f76d314cd26cc57af2e26d79dbb0f48c50481fff7750a6bab9f5441642149880c69bd9444363f5d3b8ff451a78ee8f4906abb2b054e414c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aa61c7f88fc725c09c252622049a60b2

SHA1
1837c9abd376a02dfe44ab84b59319a531d3d442

SHA256
5d0b89aa7f819f55d8527ed7fbae80bfed0b6fffec9459b3740f2829351c63eb

SHA512
9596bb3b6cbe7096a22f3e9074f3417fd33e3d93b77ff7983855bb31a291f5c9f345b5e3d837db6a3695cbf4eb68110c0af1c7047782374b75a729488eb28a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588b34.TMP

Filesize
1KB

MD5
8790326a6930fe9a24fbdfdf3ea8f608

SHA1
40a88368740fb2982f96d446ba0f0024c0073f62

SHA256
3b119ce4565efe1703000dd4f168c17b86fc1ed25bc270c0a69884c2000d44f6

SHA512
22940a6f17ae5e7e993de8ca2e0c8a031baa6f4b017d76060a21f1fade7054c9a6f33bf79ee3ee63fbaa6ab9f3bfb41adf07b7f9fd3322df3289691698904bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e64b8e5fe577c3f240b6b4905a539606

SHA1
2b35562e25d31c867fe6316537100ce0c1838590

SHA256
2811179d6a081950e494777d7520fcc1e3fa6706c5cc784c1c11fb3b1d385b17

SHA512
38e13a8b4d324125c7457de248ce2c8620787c2d4dd52f9aadd417079266e0ee60a0935007aebe3353cd91f88041e0fc032ab3539e251710a5e35a67a53beaee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f21f8e0966f657e3e4835df876555289

SHA1
290ebb18e0a1860ca26167893c749e23a9451a4d

SHA256
ea6de35f7b4ddc9b057ebbdab6e2e9da83c6eee1877092a95d6061b2a2555729

SHA512
c5fe66c80897a493dae4686a9ed744d2b502dc46d822d8faf59ba30c5caa654f2607a80c26d5828fdc064d291392db34f962594ae1c7f09987a9f08c351cfc01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d459e772ec62b0b50d6fded821432f8

SHA1
c785d8d2798d8c5a42331a50e3f3a131ef1baa08

SHA256
6b9b63af3338f71e81f4f8061284b7d1cb2439c066bbff63cd33835f98843afc

SHA512
8a43da9b0772f13c5517c9acf25bf4364e89088e54ea026ed6e90f3debf14cd900016adee36f2ec653459b923d4ad2ebb36ed7ead76556e3008d52f41c16789c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b526339695536a5f469b013c47509496

SHA1
e457711c9c771e5146473a5ba31d63838cdfd74d

SHA256
8ce1a42c02d233dd19c9f28bfb77471a47389cd20702346944361c964ec90848

SHA512
39d7105b74a078f55726b3f07856ec5236c7e749fb8bc9585909e614061b514947906c5f38315df4b8d78fc014d1336c70d4d43438761bc93d5cf5216b1ff1b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
e7495944a1f918e7403f6ca07948b521

SHA1
271cfbad3bc2de842e9b2b29b564833d588ac007

SHA256
fba0845195a08d15c831966c371765bd7b67ed53ba05f062a0340e831d7176dd

SHA512
5a0253363e6e623cafa7c3214b3d9f9fd4b4ca7f9c8b8ac2b225867d544a67a0e08af62a1f36f86a73672404e4c0802d0fd050ede5b00c9220a7dfd0ebff1a53

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
86273c6f8e28a12f60c73c1af58dc046

SHA1
9a29ded1e7d7b70b94b736867bd213767cacb615

SHA256
6f35433c19095e273d5c7e98ac2b4fe730453c94bda98eec5c3f26c2ed96934a

SHA512
d7a13f16a67ba514398b369ba9273d23f072e0dc9cbdddcbe1c42ad0784bdcc59a2ee2857d6c6b3468eb78bb743c62fd0a1e651fd3956deb5f98bc4c6b1ec2a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
14KB

MD5
f96689e8ddd533d63b301eec7d71bb34

SHA1
15422f634ababe5eb0713559b865187b2358f40b

SHA256
6f4907edd79c417c747033c4b22f3d5fb325d68c36a1d815a85692b722d8c60d

SHA512
c5236bb549b25837281a520908b3b009896d5db79719e58a75b620da6cdfeb21a6d3df2e49f0163705c24776040e4a32433291dd3db2ecff1e2a8425e737e22d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\scriptCache-child.bin

Filesize
479KB

MD5
0855c7d08fec744aecdba12f3d841475

SHA1
ccbb699f95e0facee98ba71f59b8a654111df21a

SHA256
2a7474f3e141c135ae792c015f8a9fbd8313ab53ac8c69f3bac65ab8f945adf5

SHA512
c6ac5080a555adfcab4f09b0a011095d190ffe27af60c22520b075a8cc8d20ba26df76927aae1ad1e2159f4cdcdf05df4514aa8dfc49223970084141a3f81091

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\scriptCache.bin

Filesize
8.9MB

MD5
94b0b4eb58f94b1ebcdb7e0a87a0b953

SHA1
f38c0f2f55ff26e5bf22e9d83d19d53075201f45

SHA256
8339fe9b17fd2877ad14e9c2789a8c5a7c4854fd982cae24cc0f05ed956e45b5

SHA512
d904e0094e000d032cfa417b5cdd1acf6ab9e8864f569903ccc2b3594c1263899d8d94d0fa85312e2bf02ec92f32bf9eaf3593f273c7931e299ed8174d88772b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
fc267a05708aaf6fdc32aa635ff6d0c9

SHA1
e7f0243717b193ce1a3e6efe9a7229f138a317ef

SHA256
07dcd189d3ec947caecaab3d069e700de04cc4fbc7e95c71ea019b6e1d1bcba0

SHA512
70fa8cfcab1a53f9794c120e265977b50e78ade213890147d6c13f6a947b5361f554983470adcbf1f88fac77b3f679379e06f637d12cbe9c3d06ea38f60a5f2c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
5a76bb7ca33ab8ee1ef9582ec06cf748

SHA1
f8f15975cbae2212aa6e60f6ca0996ce081a6ac4

SHA256
1d0db5fa30ccf7a702269c47a2ae808df845d1dadfa1603dca19a18749583229

SHA512
95f7e58293eac42b3364bc475967ad66af7d84465249b9dc4b8e5fffdf2fb311998685534eaf794364f2890814e9791ba74f49f3a48fe7c3394c24a9673ca7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A90.tmp\CLWCP.exe

Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A90.tmp\bg.bmp

Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A90.tmp\flasher.exe

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A90.tmp\horror.bat

Filesize
896B

MD5
3255e8bcd675d756d558dc26bb82620c

SHA1
ec7466b0bb13bf2c88504f01e73856e1b2887415

SHA256
10470be0fd23195dd21893584409dff05f6f58f48af5ff7106368ca12aa9e591

SHA512
7674e4295efd95d3cb8a6f2c00a4b5d68e6f8fef233a56aae66150d8037899943ac93066601d65bce358719e174d1d21731eddbdfb830d5b08055fb2f8f292cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A90.tmp\scream.bmp

Filesize
764KB

MD5
71da1eae2be419d58f50b9a4edecd9a5

SHA1
f85815f8184e7aa1a0062da376ab851870466d66

SHA256
fa03cbb06cd0a6c4875f5cb770476ebc6947b0fd366fd779bfd4c9f8b0899536

SHA512
be46a45de3d966a02c74218357d288948292b0e772a6a18bfc4c5d0b805af050d0044db18a60913cb458b5ed4f2c4fa913621984d412fc5a0edb3a0b57ee9fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A90.tmp\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A90.tmp\x.vbs

Filesize
40B

MD5
d660e3dd2c8156c5ca93f6cbe03ffb9a

SHA1
7b9292cb5e10a25f78248dc045655b56eb3c855a

SHA256
8dbf38ef140f7b29fef5c6a5447a5df9a7984be14b7790a538c8a78678f049f8

SHA512
7377221f5164ede22a08aa27cd4104c883b5c8dc39f373ffbb415251ea71f068ceb61e08ee4652dfebf1a58633cb1fbb1b2b11c5483290b77eef8abafb7cd56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
6KB

MD5
77f599bee86a13e110510f4282b35ebb

SHA1
f34656bd4f766f7535785742f51a337d73afdcc6

SHA256
b3b35b75c6c3766ce1c487faf1586287d58fbed644a752e1b73b347ab3fc03d5

SHA512
a27bdf6a7978a7293597893d4662de0b9b31c9acb8be869672e23b3f2670bafdf858f7e52de7fd0dcd0f61a8f242f91e8621179e5543d9f881bcb3918209bd41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
7KB

MD5
a7c16bbd5f8b5ec1907ef021d1077f8c

SHA1
4ae7939f3bead921a57b211c3fa0b4c8f4c3dac2

SHA256
1efc4942b814f2ca7ab3823c72955ff7afdf66ca4437eef45121809ee299ff0f

SHA512
7d0f7b6c3798fade94a9596af0560b7a2e34c445ca80e007cc514f86bdc41d9c862aefb90fa2755143c7b0f37608785a45ab76fba627d00b2797d6e51d306dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
2c298d25bb28c31e320c2846833bdcf8

SHA1
01197bff3f9e017af710853d0260888d2b52fdd9

SHA256
4c99ee5866ccb933a13f828cc2873f96d25ea5aed5a75cefa2929f6f85a3c982

SHA512
8662826e8eb5774482b4914e134a632a92cf2f7037cbc6fa85be984cc1fd910df6ab3321cf542a0c30a8412b68609a9b801cf0408963fb21301354edbbdd8396

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\cert9.db

Filesize
224KB

MD5
8145adfbe64aace056d22d27a15d9735

SHA1
1a366458aac34a29b8db790379d2c23b2f4700c4

SHA256
507578c4f65008b818475fb86659c63ccff90de8d82fd2602b620af934805fc3

SHA512
6cb8117131e47bf292f61d4e2393c4a8551878f35648f4b1789ec899af9fb0ba92015168a898f81a5e590330680870b43dc612232dfd61494a3d3b64d9c84ea5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.bin

Filesize
18KB

MD5
93da39d660fc47a027cc48c35d6a6db2

SHA1
599f9e1b3967ab3ede9b7ddc9eaa80a264c59196

SHA256
f7de2a4f683c491a2a16f33e2f1d1cc8d55af42da445d95fdf873e5b6fd5c4bd

SHA512
d31899cbb0fe50ef346aa872096a59fd5f4c1ab474e9c9c3241f91d7844a662ce464201fe2b85247dc89d42d091e9aaf8eb82dc867d857a715d8e7c5ca138b42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
96a286ed86cabf6370c7d045a24066ed

SHA1
2d8e75cf89bd0258a73ba979b44fe317f33d506f

SHA256
f84dcdb212c11fa5d405b2f252d7c9d8bcd09b62fb0d18c00c117f71b2be878b

SHA512
12c8e815189f03726023a1a0d27fec99f015118d737fab7728f561d97017874ec3da558429c3a1b9d012ffdbdd2736cd725c0235cec0bad8c15e2cca45329e37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
651b10339748e1634a776605be152210

SHA1
189db4bd88f325de87d97b1d2f188dce39787af4

SHA256
4ccf3d919dd3940ba9b086ce73b68a01efa1c92039ab1e589fa46b663a0de47d

SHA512
cbc0e9ca3f407e00ab1529970020a1778353f3ff4ba50a21fc8872d1618a7a2dc536eb0b193aefd01bf6e95c930cb14bfd7b17a79324fe75aa75e1f2be54e228

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
c4ae723767114f8f7433a54372bf4c10

SHA1
0ac268ee561554c036d7933c7a23c62812501a47

SHA256
d9d05a454ba8183570790eb2e6f96e05c87af19c66c634003eb1b81e588a0548

SHA512
577ae43208abcd55158f4bea92ce17c9d535f244b39500e42e9a214edaab839ef0f1e93d52a6754d0cf0cfb9a751e99696368e65f0ac8ee7bc035fdc94378b96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
555228bb0a808ba07e33731a3d58ca00

SHA1
053a381159dd98d239b870a5368dc34b9dde7b8c

SHA256
4124efaaf7a9de7bd57f8bf1fc6019a15a01db95c63368661380ae2c53bda1ec

SHA512
37c4bf947f225ccdedae5939af99cc2e650a148520b5c4c0e6537ac54b25dceaa290adce7c3d55860e2a98a82e94a6fa511e64c1c1df42a0401d27a08c4ab9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\events\events

Filesize
271B

MD5
e3308d66bfe1a18f57131fbed9b6ac26

SHA1
4f8109a11c5393990f14fb9736d2c169a59ddea4

SHA256
406f694c64caf3fe4256488c9b1c7e64d354041478e6b07b303cf76a8d9dceef

SHA512
58e784ac05ab4fbf4a6f884c11a278ddf17cb105f8491e6609171788f68d50a39e041a63738629bce5c619898704198a6bc7e4fc5ad65243214c27daedfbff77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\55eb4d1a-31de-425b-ba2a-591769cb7a44

Filesize
25KB

MD5
3fbb4bca917b72758561b82e487d6260

SHA1
2059abd8e1f46ad237f43a3229e5c9ea005af71e

SHA256
d19e00758e477f58db5514147021d7c0bd458a156ed8417fdab501abbe9a90b7

SHA512
341edf336a4bc9e22ba1bd155c751b9d7e87a66ad8a48d8e16845eddc3dadf3fb915234568c6bfc99e7ca6d076926b3dfa2bc623eab49a3e2084f7bdfaf70f48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\71ac9daf-02b8-48c9-9446-a17817f02ebd

Filesize
671B

MD5
c99f2a8e452395b8eb3fb13c71617744

SHA1
8295088b1c0cea325339dda671b77d149d115aa0

SHA256
e86b14c0668c8bdc0eac29071766d471ee7c3508c7ca0756175c79a285edc232

SHA512
43c2723a3feb602481acc38db674779ae6fcb465e32247aa8e383389d3940ffdca0dba331ea64bec1704b110d755b5bd750ec67362b9334fb8921454c441b62c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\7ad20f85-2a71-402d-8779-fe1e6d8fbc37

Filesize
659B

MD5
5400a3ea60c2a1cb3fe658c93fad40cb

SHA1
a43f9bca4e6fe5600bc1a2884943814b733b0a9e

SHA256
48b93e1b10dc0c99553d732ecb6ed0fcf3ca56b0a66bee1e2f0ba8afd4dadfa2

SHA512
c4328815607457978df5702e165e23b13bf1ea43d59cf98c4162044c9a8ad27ccebe3f4ad9d1263654f09102d2f67c18f72306f79151045e49f68b8ef9cce02e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\9c1f0795-94d3-479d-a8e7-172af174dc6c

Filesize
982B

MD5
53e487cea495cacd14754d00f3fc71f3

SHA1
09b4ddd7a4c3076d23f755947d53e4a9e8bef3ab

SHA256
6f9bc8248e2b36a5e5fc77788219b8d8db0f1b40120efc6589bbcf7bbf319fb5

SHA512
e348064be66400cdcabbe5885c1b73c58d74a284594e6baab3a13a8e1a2a7d45bf59a55acfa88ef2a594a1e10554484e4e7fca4ac11327518ac957ff70e15d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\a7baed83-7efe-499b-b9f7-b7f4fc334f8c

Filesize
1KB

MD5
d157642f1bac8dda0009a306d7e481fb

SHA1
397464474c16f77bd4cc0beccd8dc8034ff3c85f

SHA256
26853cac5b648716c2db9969d528bd64e4885d4aae03b7363374ad30e9ea3ac2

SHA512
677ea287956fb4449d0b41c63d859328e7d1f96a31fc0830d5862870e084789f9a87ab44f4d926d25467808f8d2a754f729e2b106bfe7ea4d92796d551083607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\extensions.json

Filesize
37KB

MD5
f337efb96bee1313add2c534a9735c02

SHA1
c8f7b4a842a4ab9648d30ee87ed969dce3846903

SHA256
8803968d6b2797b8274c470a08200b64ff63b465cd1561df4b83b90fcc1fe0c1

SHA512
3c9a8dc0345b83826b94c9fa6373608305ac75b941b0abe61587fe5f4fa9ebe01df149fab7a784e257743dbfdd8c999f09d1f8c6c320a4bae1cdb4ee01f8485c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\places.sqlite

Filesize
5.0MB

MD5
8efbbf52557da38a13c059f1093c9fab

SHA1
bfb61375ed6dc988cbc43b06895fde987234c7e7

SHA256
61ad177e1501216b08c3b995dd4bdcb3b14c667b8ebca00cde464d727354ac6a

SHA512
88801f566c3f1512290907d53c4a58f9fcb5cacaa494b89af49e5c74654e4eb89baecf40b73e5aec6e866c0db1d73727759438f85260d9a533f553be61e98dae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
11KB

MD5
70c7d9e722d6d9ad3fbb7e38fdae497c

SHA1
670db5f50adac36cb95258fabdc28f5612a3a4b4

SHA256
55b87d191e71ee0e558026e672ffc6ee7b265e18748a18f9bdd2fefa701f502c

SHA512
ac9aefdfc0a2bb93a00b0301419d96c4808b6575d341039fb08156f4692089d5ffe80c14c18ab34589396200eee5e51415e4f4e93f2ec68aef512be6d28cfb45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
11KB

MD5
69e6c1ae6b415512fdcf5c3e988a17f1

SHA1
35ce7030a0f85aa537e7b1e7ca50b6827c6d5daf

SHA256
240d16604d38477d17407da16022793d8958ae44c96edbd52deee914f3227385

SHA512
14eeeea7927e8d85280fd62590053f31ed6671b76b22ed55299da5774a6ef7d65efd2b4c6318f4853c40cbc682338c639f61c5981768e345e3f042a46d5efecb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
a0eb7118bc8d6bfaf04a5454341f5649

SHA1
b912706b38e7b721cfd9c86121e431b9e7280a36

SHA256
b23c955fae30d3e4ab8b7dbc3464dec4394973bcc5c09f9dad782ef734800c2a

SHA512
1e31bf6a5f240c4e78273b90b745c2754e49ca0bbaae4adcc1e3e28d01e62fb4cc843b670c21e43ddd5c4ceb72eb223b3dfbe3eea2a9ce0c175a23ef2147cb60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
7a6eaf6966720324ac83cb6bd41fb86d

SHA1
6a4e17c378a2b35615c74810feae52301e6596b4

SHA256
150ef3b0d5be8ba49501c85101e313124d962ca409b6b2c67bf2637f3d0cee33

SHA512
c9cc245fa9888553bab141258f54b3c43be3659286548cdd3db3716e0c6b4cff4338dc057ff02e7c1c83240c39ef306c7ed21329e7901f5880b2a9851dd88b52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
b2644e203f7e7d8f0c9d09aa68d748cb

SHA1
136f0bdffcc6b19884fcbd3470619e9242aa7409

SHA256
3ab992189c395d47116051f3ad5b351fe2914605d28ffd2862f8b8336122bc00

SHA512
dff0b5c5e1e6bc6362dcaaab655f82a383559340b68065c981bbea3433708e4bb8eca351e3a8514d3cf8ee95263a4f5341c1602c0e9ba94759b5865393f18ee5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
11KB

MD5
d2959a343073706eb4af9f2bf1c0a6bd

SHA1
1dfa706c60096ca75c468ae38af32e047dc7f486

SHA256
22fbc85d8feb099e41cb106e62e9cbe51aeb0b2afc5e80b9fd719e08f26d4e8b

SHA512
5ae7e9ea105d7dfa26ac18abf2acf96dabed1749910968ad30526549af96831ad2e698daecff308c601432e9de1618d48f3d4a5ff6af54bdd12d7c8a8b82b6f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\protections.sqlite

Filesize
64KB

MD5
76786a4c0dd19d88d6d3ed95a293bf2f

SHA1
b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7

SHA256
1a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31

SHA512
8cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
110ca0ba47d8e803b1c74d101febb285

SHA1
ee98383e9d6f572c3a43569a28d2ea49f0d3272d

SHA256
7f27a4c6dac338e8831d98ea906fe99ad0e135adb6c13d49698b21bc019dc8f3

SHA512
1bf56bdb4faaa3a5749ecf15bf4a47cd5f8f96ef730d73d340030b0469ca956aa2d80e6f4cd4b8d044f7e26b6ab09b2bf24db43457a6af499d87024f9135105c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
2cf81a073b987916f035929fc890af56

SHA1
b41d6aded1bb7f732e935d4ee786053f83b2df56

SHA256
35bf38c82f2c8cab12d49d2a6f9e60b3b9ca2064d02cf06428eac841c292da9d

SHA512
da089e5995707f5b161350f4de81ef51176843ae4bbb6eef793a328c910908ce28c7f8e93741b5a0a8f793d552dede1b37984c840607fdfa63e3b0218d54af38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
5c3931caa12fd2b0692e0232e506dd97

SHA1
f4b04b1c9906dd16ce38207cda85fc4f139870a7

SHA256
5192c42da9d57d8051f72cef35f3cb277b850e1c25063609a195a7dadc5e9bb1

SHA512
3e3ccbda47c06c39778b5a09cde53612adc4ad7dfffd5c4e80d606ee7550ff9cbb0b5ac9661555f8d23d4fba1d4dec5c7e80cf9bcf400e028e3580d54a15e1ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\xulstore.json

Filesize
627B

MD5
11f147944b08a8be8c3d073341092380

SHA1
11e9bc1ca7afda7bdcfbeb1862fc1708dcb63edb

SHA256
604ef87317035940a1e73c19e856387dfca2404bfebaee0f29fd21b45667cc74

SHA512
4a1c4fdad8290572b248773eca918aef734b1d59ee3ad83a0533fc5b10e157830b7a0fdedd63c1453845fe154ee2fe157c14871c0247b38138594f4a25170794

Download Submit
C:\Users\Admin\Downloads\HorrorTrojan-main.zip

Filesize
46.3MB

MD5
f40cfd8ad6e12a92990085f58c59fc04

SHA1
83e5a09614bc65baab01ac5db204b47db30ba7f3

SHA256
716f5bc38980dbdad25ff050050e0c6e1491c57b841e959c068e9f8907e79d89

SHA512
b5bfcb4b399b076bd57c16ab7caf56e6e7c9663d4613b755ae6935a38b51641eeb981c873e898c10b46809099ced455ae322418274fffdeb6d8c56d7df5eb874

Download Submit
C:\Users\Admin\Downloads\HorrorTrojan-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 360447.crdownload

Filesize
25.6MB

MD5
8e7af35987851cd18f0b7c603e548583

SHA1
d7f90bc4ef3449dddfa00c855d13e6ae1f579c78

SHA256
0478e053e93e02ef02b9729b724275ac4b09476c858b965fad22d6911f7bf49b

SHA512
b60683cd1cc7f711542209c9a147c648324b5db4ed0b8833fcc01f34ebfde4e2b9473a54cb2c33af7f81b5cdc17156dbb79c4bf64de599a7bf24c98526a38569

Download Submit
C:\Users\Admin\Downloads\iRo9q9iu.rar.part

Filesize
419KB

MD5
fa608c076144062ebaee398c6afc41a3

SHA1
929088fa55cb5031a19f9544c08066a57d24d235

SHA256
180771c0c9a08aec09130dc669fba44a4e9f3b51ea0c916be8edcc8663667fc2

SHA512
475a8af26797d929fdb66abfa69eb6d94969f1e20d541210a2823ecf6e429500bfe33b3595e3fa4f3d5d55b2e1a6238e9bb755a83c5045fd0873229255806f63

Download Submit
memory/1900-1373-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1900-1625-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2328-1212-0x0000000000400000-0x0000000000C40000-memory.dmp

Filesize
8.2MB

Download
memory/2328-1367-0x0000000000400000-0x0000000000C40000-memory.dmp

Filesize
8.2MB

Download
memory/5032-1379-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5032-1853-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5616-1362-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download