Resubmissions
31-10-2024 08:45
241031-kn28bsvgnj 131-10-2024 08:39
241031-kkgr8avgkn 131-10-2024 08:31
241031-ke7rfssrhx 1031-10-2024 08:31
241031-kep7easrgs 131-10-2024 08:28
241031-kc6rdasrcx 1031-10-2024 08:25
241031-kbss5asrat 1031-10-2024 08:25
241031-kbcf5svepk 131-10-2024 08:22
241031-j9qkzsveln 1031-10-2024 08:15
241031-j5n7cswlbp 10Analysis
-
max time kernel
0s -
max time network
60s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-10-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
LCrypt0rX.vbs
Resource
win11-20241023-en
General
-
Target
LCrypt0rX.vbs
-
Size
22KB
-
MD5
f25a640ad8b8ea3b0f63ae8959c129a1
-
SHA1
eadb43ef97823955f8b30a4e621e5422f8894afe
-
SHA256
3b39fb55fdfa391dc03c40197b88165c18a260bf9b171a46622c9304c7c38d53
-
SHA512
6964a4b78972d0fc0be9bebd2a3752a63b261281920f1b0bac2f9c9fb7215a268b2cb3258975f417df5e790c9c89da4f9ec8015f7e57b1cf0b58d2298249c524
-
SSDEEP
384:t0GbplStxYHQHSH7l+i/HVn2jv1QayXwA+sxQ+E6O:LJR2iY+EF
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocks application from running via registry modification 3 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe" wscript.exe -
pid Process 1576 wbadmin.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wscript.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4372 vssadmin.exe -
Kills process with taskkill 29 IoCs
pid Process 5248 taskkill.exe 9688 taskkill.exe 6588 taskkill.exe 8016 taskkill.exe 8128 taskkill.exe 8936 taskkill.exe 9884 taskkill.exe 10208 taskkill.exe 5744 taskkill.exe 6064 taskkill.exe 6872 taskkill.exe 9404 taskkill.exe 5236 taskkill.exe 6012 taskkill.exe 10052 taskkill.exe 1092 taskkill.exe 6240 taskkill.exe 6756 taskkill.exe 8108 taskkill.exe 6892 taskkill.exe 5572 taskkill.exe 5656 taskkill.exe 6432 taskkill.exe 8280 taskkill.exe 9556 taskkill.exe 5456 taskkill.exe 9176 taskkill.exe 7736 taskkill.exe 5244 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Control Panel\Mouse wscript.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 1360 notepad.exe 3008 notepad.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 796 wrote to memory of 3020 796 WScript.exe 77 PID 796 wrote to memory of 3020 796 WScript.exe 77 -
System policy modification 1 TTPs 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs" /elevated2⤵
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies Control Panel
- System policy modification
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet3⤵PID:3152
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet3⤵PID:736
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1576
-
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1360
-
-
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters3⤵PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\iamthedoom.bat" "3⤵PID:4084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js4⤵PID:5852
-
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs3⤵PID:3004
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs4⤵PID:888
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs5⤵PID:5124
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs6⤵PID:5552
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs7⤵PID:5436
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs8⤵PID:5528
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs9⤵PID:5748
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs10⤵PID:5972
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs11⤵PID:5888
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs12⤵PID:5560
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs13⤵PID:6044
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs14⤵PID:6128
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs15⤵PID:4384
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs16⤵PID:1900
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs17⤵PID:3872
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs18⤵PID:800
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs19⤵PID:4408
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs20⤵PID:816
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs21⤵PID:3412
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs22⤵PID:3840
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs23⤵PID:1804
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs24⤵PID:3900
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs25⤵PID:716
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs26⤵PID:4632
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs27⤵PID:2884
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs28⤵PID:2132
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs29⤵PID:4028
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs30⤵PID:4436
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs31⤵PID:4196
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs32⤵PID:3260
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs33⤵PID:3052
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs34⤵PID:4716
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs35⤵PID:3992
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs36⤵PID:3668
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs37⤵PID:5132
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs38⤵PID:1752
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs39⤵PID:4068
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs40⤵PID:4036
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs41⤵PID:4136
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs42⤵PID:4468
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs43⤵PID:3120
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs44⤵PID:5168
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs45⤵PID:3712
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs46⤵PID:5324
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs47⤵PID:4180
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs48⤵PID:5928
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs49⤵PID:5416
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs50⤵PID:5908
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs51⤵PID:5752
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs52⤵PID:5672
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs53⤵PID:6048
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs54⤵PID:2596
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs55⤵PID:6112
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs56⤵PID:5044
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs57⤵PID:4400
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs58⤵PID:5364
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs59⤵PID:6200
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs60⤵PID:6292
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs61⤵PID:6348
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs62⤵PID:6412
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs63⤵PID:6512
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs64⤵PID:6576
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs65⤵PID:6664
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs66⤵PID:6736
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs67⤵PID:6848
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs68⤵PID:6936
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs69⤵PID:7004
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs70⤵PID:7052
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs71⤵PID:7104
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs72⤵PID:7156
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs73⤵PID:6276
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs74⤵PID:6472
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs75⤵PID:6452
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs76⤵PID:6588
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs77⤵PID:6840
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs78⤵PID:7084
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs79⤵PID:7208
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs80⤵PID:7692
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs81⤵PID:7904
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs82⤵PID:8072
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs83⤵PID:7276
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs84⤵PID:7628
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs85⤵PID:8144
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs86⤵PID:8156
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs87⤵PID:7508
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs88⤵PID:8204
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs89⤵PID:8456
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs90⤵PID:8760
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs91⤵PID:9032
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs92⤵PID:9128
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs93⤵PID:8008
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs94⤵PID:8060
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs95⤵PID:7768
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs96⤵PID:8544
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs97⤵PID:8748
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs98⤵PID:8284
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs99⤵PID:8912
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs100⤵PID:8976
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs101⤵PID:5204
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs102⤵PID:5708
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs103⤵PID:9056
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs104⤵PID:5680
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs105⤵PID:3752
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs106⤵PID:3628
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs107⤵PID:7504
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs108⤵PID:8244
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs109⤵PID:936
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs110⤵PID:3700
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs111⤵PID:5692
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs112⤵PID:2500
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs113⤵PID:3672
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs114⤵PID:8536
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs115⤵PID:5820
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs116⤵PID:3036
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs117⤵PID:7744
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs118⤵PID:9236
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs119⤵PID:9288
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs120⤵PID:9336
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs121⤵PID:9392
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs122⤵PID:9480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-