phorphiex | bc4707c1d81c7978cf963c26b3cc69585cb8aaa8e4b5859cc4688220db88f9d0

Analysis

max time kernel
37s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs
Size

25KB
MD5

4b45ab4778ed8bf951c470d5ae0e550c
SHA1

5bc0146efccad916625ac9bf231f511fd8a7f5d1
SHA256

bc4707c1d81c7978cf963c26b3cc69585cb8aaa8e4b5859cc4688220db88f9d0
SHA512

a1368167d731d2587158ecc1b104b8e410da305adb58bfe556e4cf1b8421009260cf119ba7dade1ea833fa3628d801507daee08c897d9d0150d7e64dcb38ef80
SSDEEP

384:y8enbIbpBStxYUQHSH7l+ix/J/b6GvPCSy+tNywUWZEC:inucJb6HAUvC

Score

10^/10

phorphiex defense_evasion discovery execution impact loader persistence ransomware trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://45.93.20.18/

Wallets

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

0xCa90599132C4D88907Bd8E046540284aa468a035

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

Attributes

mutex
k9ubbn6sdfs
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

phorphiex

http://185.215.113.66

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000120ea-1739.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2856	wscript.exe
6	2856	wscript.exe
9	2856	wscript.exe
10	2856	wscript.exe

Blocks application from running via registry modification 14 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2816	wbadmin.exe

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Disables Task Manager via registry modification
defense_evasion
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wscript.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\msvcr80dll = "C:\\Windows\\SysWOW64\\msvcr80.dll.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32Updater = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti-VirusScript = "C:\\Windows\\System32\\systemconfig.exe.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advapi32_ext = "C:\\Windows\\advapi32_ext.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger	wscript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File opened for modification	C:\Windows\SysWOW64\msvcr80.dll.bat	wscript.exe
File created	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe
File opened for modification	C:\Windows\System32\systemconfig.exe.vbs	wscript.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\advapi32_ext.vbs	wscript.exe
File opened for modification	C:\Windows\advapi32_ext.vbs	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2736	vssadmin.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
2172	taskkill.exe
9068	taskkill.exe
2200	taskkill.exe
868	taskkill.exe
15036	taskkill.exe
12240	taskkill.exe
8732	taskkill.exe
11240	taskkill.exe
9052	taskkill.exe
6540	taskkill.exe
13388	taskkill.exe
14712	taskkill.exe
8388	taskkill.exe
2008	taskkill.exe
1600	taskkill.exe
4952	taskkill.exe
5888	taskkill.exe
16372	taskkill.exe
1396	taskkill.exe
7120	taskkill.exe
7224	taskkill.exe
13920	taskkill.exe
6652	taskkill.exe
2316	taskkill.exe
5392	taskkill.exe
6064	taskkill.exe
9544	taskkill.exe
12740	taskkill.exe
9040	taskkill.exe
2064	taskkill.exe
6128	taskkill.exe
6384	taskkill.exe
9664	taskkill.exe
4504	taskkill.exe
6796	taskkill.exe
10972	taskkill.exe
12808	taskkill.exe
12112	taskkill.exe
7000	taskkill.exe
4596	taskkill.exe
10360	taskkill.exe
13116	taskkill.exe
11808	taskkill.exe
7116	taskkill.exe
4756	taskkill.exe
6916	taskkill.exe
9692	taskkill.exe
10704	taskkill.exe
10840	taskkill.exe
16280	taskkill.exe
5008	taskkill.exe
8012	taskkill.exe
15100	taskkill.exe
2088	taskkill.exe
2528	taskkill.exe
2304	taskkill.exe
6544	taskkill.exe
824	taskkill.exe
2984	taskkill.exe
7348	taskkill.exe
7816	taskkill.exe
8560	taskkill.exe
1992	taskkill.exe
8628	taskkill.exe

Modifies Control Panel 3 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse	wscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1"	wscript.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{98752C41-06B0-11F0-87C7-F2088C279AF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{987C7771-06B0-11F0-87C7-F2088C279AF6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{987EB1C1-06B0-11F0-87C7-F2088C279AF6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2508	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2844	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeBackupPrivilege	2884	vssvc.exe
Token: SeRestorePrivilege	2884	vssvc.exe
Token: SeAuditPrivilege	2884	vssvc.exe
Token: SeBackupPrivilege	2960	wbengine.exe
Token: SeRestorePrivilege	2960	wbengine.exe
Token: SeSecurityPrivilege	2960	wbengine.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeSystemtimePrivilege	3108	cmd.exe
Token: SeSystemtimePrivilege	3108	cmd.exe
Token: SeSystemtimePrivilege	3084	cmd.exe
Token: SeSystemtimePrivilege	3084	cmd.exe
Token: SeSystemtimePrivilege	3092	cmd.exe
Token: SeSystemtimePrivilege	3092	cmd.exe
Token: SeSystemtimePrivilege	2528	cmd.exe
Token: SeSystemtimePrivilege	2528	cmd.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	5196	taskkill.exe
Token: SeDebugPrivilege	5392	taskkill.exe
Token: SeDebugPrivilege	5520	taskkill.exe
Token: SeDebugPrivilege	5768	taskkill.exe
Token: SeDebugPrivilege	6064	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3244	iexplore.exe
3252	iexplore.exe
3232	iexplore.exe
3196	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3244	iexplore.exe
3244	iexplore.exe
3196	iexplore.exe
3196	iexplore.exe
3252	iexplore.exe
3252	iexplore.exe
3232	iexplore.exe
3232	iexplore.exe
3588	IEXPLORE.EXE
3588	IEXPLORE.EXE
3624	IEXPLORE.EXE
3624	IEXPLORE.EXE
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE
3600	IEXPLORE.EXE
3600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2856	2172	WScript.exe	29
PID 2172 wrote to memory of 2856	2172	WScript.exe	29
PID 2172 wrote to memory of 2856	2172	WScript.exe	29
PID 2856 wrote to memory of 2844	2856	wscript.exe	30
PID 2856 wrote to memory of 2844	2856	wscript.exe	30
PID 2856 wrote to memory of 2844	2856	wscript.exe	30
PID 2856 wrote to memory of 1528	2856	wscript.exe	32
PID 2856 wrote to memory of 1528	2856	wscript.exe	32
PID 2856 wrote to memory of 1528	2856	wscript.exe	32
PID 2856 wrote to memory of 1184	2856	wscript.exe	34
PID 2856 wrote to memory of 1184	2856	wscript.exe	34
PID 2856 wrote to memory of 1184	2856	wscript.exe	34
PID 2856 wrote to memory of 2888	2856	wscript.exe	36
PID 2856 wrote to memory of 2888	2856	wscript.exe	36
PID 2856 wrote to memory of 2888	2856	wscript.exe	36
PID 2888 wrote to memory of 2736	2888	cmd.exe	38
PID 2888 wrote to memory of 2736	2888	cmd.exe	38
PID 2888 wrote to memory of 2736	2888	cmd.exe	38
PID 2856 wrote to memory of 2312	2856	wscript.exe	41
PID 2856 wrote to memory of 2312	2856	wscript.exe	41
PID 2856 wrote to memory of 2312	2856	wscript.exe	41
PID 2312 wrote to memory of 2816	2312	cmd.exe	43
PID 2312 wrote to memory of 2816	2312	cmd.exe	43
PID 2312 wrote to memory of 2816	2312	cmd.exe	43
PID 2856 wrote to memory of 2508	2856	wscript.exe	47
PID 2856 wrote to memory of 2508	2856	wscript.exe	47
PID 2856 wrote to memory of 2508	2856	wscript.exe	47
PID 2856 wrote to memory of 2284	2856	wscript.exe	49
PID 2856 wrote to memory of 2284	2856	wscript.exe	49
PID 2856 wrote to memory of 2284	2856	wscript.exe	49
PID 2856 wrote to memory of 2740	2856	wscript.exe	52
PID 2856 wrote to memory of 2740	2856	wscript.exe	52
PID 2856 wrote to memory of 2740	2856	wscript.exe	52
PID 2284 wrote to memory of 3000	2284	cmd.exe	53
PID 2284 wrote to memory of 3000	2284	cmd.exe	53
PID 2284 wrote to memory of 3000	2284	cmd.exe	53
PID 2284 wrote to memory of 2712	2284	cmd.exe	54
PID 2284 wrote to memory of 2712	2284	cmd.exe	54
PID 2284 wrote to memory of 2712	2284	cmd.exe	54
PID 2284 wrote to memory of 1372	2284	cmd.exe	55
PID 2284 wrote to memory of 1372	2284	cmd.exe	55
PID 2284 wrote to memory of 1372	2284	cmd.exe	55
PID 2284 wrote to memory of 2936	2284	cmd.exe	56
PID 2284 wrote to memory of 2936	2284	cmd.exe	56
PID 2284 wrote to memory of 2936	2284	cmd.exe	56
PID 2284 wrote to memory of 568	2284	cmd.exe	57
PID 2284 wrote to memory of 568	2284	cmd.exe	57
PID 2284 wrote to memory of 568	2284	cmd.exe	57
PID 2284 wrote to memory of 1032	2284	cmd.exe	58
PID 2284 wrote to memory of 1032	2284	cmd.exe	58
PID 2284 wrote to memory of 1032	2284	cmd.exe	58
PID 2856 wrote to memory of 1720	2856	wscript.exe	60
PID 2856 wrote to memory of 1720	2856	wscript.exe	60
PID 2856 wrote to memory of 1720	2856	wscript.exe	60
PID 2740 wrote to memory of 2748	2740	wscript.exe	63
PID 2740 wrote to memory of 2748	2740	wscript.exe	63
PID 2740 wrote to memory of 2748	2740	wscript.exe	63
PID 1720 wrote to memory of 2496	1720	wscript.exe	64
PID 1720 wrote to memory of 2496	1720	wscript.exe	64
PID 1720 wrote to memory of 2496	1720	wscript.exe	64
PID 2748 wrote to memory of 1952	2748	wscript.exe	66
PID 2748 wrote to memory of 1952	2748	wscript.exe	66
PID 2748 wrote to memory of 1952	2748	wscript.exe	66
PID 1952 wrote to memory of 2224	1952	wscript.exe	68

System policy modification 1 TTPs 19 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "Autoruns.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "procexp.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "gpedit.msc"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "SystemSettings.exe"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs" /elevated
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Bitdefender\Bitdefender 2025\bdnserv.exe" -disable
    3⤵
    PID:1528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2025\avp.com" disable
    3⤵
    PID:1184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2816
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2508
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\msvcr80.dll.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3000
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:2712
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1372
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:2936
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:568
  - - C:\Windows\system32\cmd.exe
      cmd
      4⤵
      PID:1032
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        6⤵
        
        PID:2224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        7⤵
        
        PID:2052
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        8⤵
        
        PID:560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        9⤵
        
        PID:1956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        10⤵
        
        PID:1808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        11⤵
        
        PID:1712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        12⤵
        
        PID:2800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        13⤵
        
        PID:1680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        14⤵
        
        PID:1504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        15⤵
        
        PID:1968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        16⤵
        
        PID:1672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        17⤵
        
        PID:2752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        18⤵
        
        PID:2688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        19⤵
        
        PID:1920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        20⤵
        
        PID:900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        21⤵
        
        PID:528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        22⤵
        
        PID:1872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        23⤵
        
        PID:2548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        24⤵
        
        PID:520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        25⤵
        
        PID:1852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        26⤵
        
        PID:2304
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        27⤵
        
        PID:2356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        28⤵
        
        PID:2672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        29⤵
        
        PID:684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        30⤵
        
        PID:864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        31⤵
        
        PID:2812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        32⤵
        
        PID:1776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        33⤵
        
        PID:1736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        34⤵
        
        PID:1716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        35⤵
        
        PID:3124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        36⤵
        
        PID:3268
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        37⤵
        
        PID:3484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        38⤵
        
        PID:3676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        39⤵
        
        PID:3872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        40⤵
        
        PID:3920
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        41⤵
        
        PID:3952
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        42⤵
        
        PID:4016
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        43⤵
        
        PID:4072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        44⤵
        
        PID:3084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        45⤵
        
        PID:3892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        46⤵
        
        PID:3192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        47⤵
        
        PID:3100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        48⤵
        
        PID:4248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        49⤵
        
        PID:4428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        50⤵
        
        PID:4480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        51⤵
        
        PID:4576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        52⤵
        
        PID:4628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        53⤵
        
        PID:4676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        54⤵
        
        PID:4716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        55⤵
        
        PID:4776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        56⤵
        
        PID:4904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        57⤵
        
        PID:5060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        58⤵
        
        PID:3528
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        59⤵
        
        PID:3160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        60⤵
        
        PID:4232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        61⤵
        
        PID:4148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        62⤵
        
        PID:4684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        63⤵
        
        PID:4940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        64⤵
        
        PID:4760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        65⤵
        
        PID:5100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        66⤵
        
        PID:4316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        67⤵
        
        PID:4608
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        68⤵
        
        PID:5004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        69⤵
        
        PID:4384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        70⤵
        
        PID:4604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        71⤵
        
        PID:5116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        72⤵
        
        PID:5164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        73⤵
        
        PID:5264
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        74⤵
        
        PID:5300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        75⤵
        
        PID:5428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        76⤵
        
        PID:5484
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        77⤵
        
        PID:5572
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        78⤵
        
        PID:5752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        79⤵
        
        PID:5852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        80⤵
        
        PID:6028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        81⤵
        
        PID:6120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        82⤵
        
        PID:5236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        83⤵
        
        PID:5652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        84⤵
        
        PID:5524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        85⤵
        
        PID:5944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        86⤵
        
        PID:6020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        87⤵
        
        PID:5344
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        88⤵
        
        PID:5568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        89⤵
        
        PID:5904
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        90⤵
        
        PID:5768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        91⤵
        
        PID:5312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        92⤵
        
        PID:5704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        93⤵
        
        PID:5224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        94⤵
        
        PID:5544
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        95⤵
        
        PID:5892
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        96⤵
        
        PID:5356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        97⤵
        
        PID:5876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        98⤵
        
        PID:3400
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        99⤵
        
        PID:6092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        100⤵
        
        PID:5668
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        101⤵
        
        PID:5940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        102⤵
        
        PID:5240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        103⤵
        
        PID:6156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        104⤵
        
        PID:6196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        105⤵
        
        PID:6232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        106⤵
        
        PID:6272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        107⤵
        
        PID:6316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        108⤵
        
        PID:6348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        109⤵
        
        PID:6392
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        110⤵
        
        PID:6428
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        111⤵
        
        PID:6468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        112⤵
        
        PID:6512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        113⤵
        
        PID:6568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        114⤵
        
        PID:6624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        115⤵
        
        PID:6660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        116⤵
        
        PID:6740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        117⤵
        
        PID:6800
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        118⤵
        
        PID:6876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        119⤵
        
        PID:6960
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        120⤵
        
        PID:7012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        121⤵
        
        PID:7088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        122⤵
        
        PID:7156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        123⤵
        
        PID:6300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        124⤵
        
        PID:6604
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        125⤵
        
        PID:6712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        126⤵
        
        PID:6828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        127⤵
        
        PID:6944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        128⤵
        
        PID:7024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        129⤵
        
        PID:7152
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        130⤵
        
        PID:6936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        131⤵
        
        PID:6796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        132⤵
        
        PID:4820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        133⤵
        
        PID:7028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        134⤵
        
        PID:7196
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        135⤵
        
        PID:7276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        136⤵
        
        PID:7316
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        137⤵
        
        PID:7408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        138⤵
        
        PID:7464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        139⤵
        
        PID:7532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        140⤵
        
        PID:7596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        141⤵
        
        PID:7644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        142⤵
        
        PID:7696
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        143⤵
        
        PID:7772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        144⤵
        
        PID:7828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        145⤵
        
        PID:7896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        146⤵
        
        PID:7932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        147⤵
        
        PID:7976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        148⤵
        
        PID:8020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        149⤵
        
        PID:8060
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        150⤵
        
        PID:8092
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        151⤵
        
        PID:8140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        152⤵
        
        PID:8180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        153⤵
        
        PID:6700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        154⤵
        
        PID:7288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        155⤵
        
        PID:7140
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        156⤵
        
        PID:7384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        157⤵
        
        PID:7524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        158⤵
        
        PID:7628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        159⤵
        
        PID:7576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        160⤵
        
        PID:7736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        161⤵
        
        PID:7840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        162⤵
        
        PID:7864
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        163⤵
        
        PID:8164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        164⤵
        
        PID:7680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        165⤵
        
        PID:8212
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        166⤵
        
        PID:8244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        167⤵
        
        PID:8300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        168⤵
        
        PID:8332
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        169⤵
        
        PID:8408
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        170⤵
        
        PID:8456
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        171⤵
        
        PID:8548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        172⤵
        
        PID:8588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        173⤵
        
        PID:8684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        174⤵
        
        PID:8752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        175⤵
        
        PID:8812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        176⤵
        
        PID:8872
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        177⤵
        
        PID:8972
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        178⤵
        
        PID:9028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        179⤵
        
        PID:9120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        180⤵
        
        PID:9180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        181⤵
        
        PID:8468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        182⤵
        
        PID:8580
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        183⤵
        
        PID:8620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        184⤵
        
        PID:8732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        185⤵
        
        PID:9036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        186⤵
        
        PID:9104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        187⤵
        
        PID:2596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        188⤵
        
        PID:764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        189⤵
        
        PID:8236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        190⤵
        
        PID:8736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        191⤵
        
        PID:9240
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        192⤵
        
        PID:9300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        193⤵
        
        PID:9356
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        194⤵
        
        PID:9404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        195⤵
        
        PID:9488
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        196⤵
        
        PID:9560
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        197⤵
        
        PID:9644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        198⤵
        
        PID:9712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        199⤵
        
        PID:9772
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        200⤵
        
        PID:9804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        201⤵
        
        PID:9900
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        202⤵
        
        PID:9944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        203⤵
        
        PID:10020
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        204⤵
        
        PID:10072
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        205⤵
        
        PID:10128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        206⤵
        
        PID:10160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        207⤵
        
        PID:10216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        208⤵
        
        PID:9228
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        209⤵
        
        PID:9336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        210⤵
        
        PID:9308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        211⤵
        
        PID:9460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        212⤵
        
        PID:3612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        213⤵
        
        PID:9548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        214⤵
        
        PID:9752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        215⤵
        
        PID:9888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        216⤵
        
        PID:3940
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        217⤵
        
        PID:10004
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        218⤵
        
        PID:9128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        219⤵
        
        PID:3732
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        220⤵
        
        PID:3636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        221⤵
        
        PID:10244
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        222⤵
        
        PID:10280
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        223⤵
        
        PID:10336
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        224⤵
        
        PID:10368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        225⤵
        
        PID:10420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        226⤵
        
        PID:10496
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        227⤵
        
        PID:10548
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        228⤵
        
        PID:10612
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        229⤵
        
        PID:10672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        230⤵
        
        PID:10776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        231⤵
        
        PID:10808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        232⤵
        
        PID:10916
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        233⤵
        
        PID:11000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        234⤵
        
        PID:11048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        235⤵
        
        PID:11096
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        236⤵
        
        PID:11172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        237⤵
        
        PID:11224
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        238⤵
        
        PID:10460
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        239⤵
        
        PID:4840
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        240⤵
        
        PID:10756
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        241⤵
        
        PID:10944
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        242⤵
        
        PID:10996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        243⤵
        
        PID:11148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        244⤵
        
        PID:10588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        245⤵
        
        PID:11040
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        246⤵
        
        PID:5208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        247⤵
        
        PID:5328
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        248⤵
        
        PID:11320
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        249⤵
        
        PID:11404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        250⤵
        
        PID:11492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        251⤵
        
        PID:11576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        252⤵
        
        PID:11620
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        253⤵
        
        PID:11736
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        254⤵
        
        PID:11788
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        255⤵
        
        PID:11888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        256⤵
        
        PID:11928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        257⤵
        
        PID:12024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        258⤵
        
        PID:12068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        259⤵
        
        PID:12156
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        260⤵
        
        PID:12232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        261⤵
        
        PID:10704
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        262⤵
        
        PID:588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        263⤵
        
        PID:11340
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        264⤵
        
        PID:11476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        265⤵
        
        PID:11512
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        266⤵
        
        PID:11748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        267⤵
        
        PID:11876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        268⤵
        
        PID:11968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        269⤵
        
        PID:11952
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        270⤵
        
        PID:12192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        271⤵
        
        PID:10480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        272⤵
        
        PID:11384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        273⤵
        
        PID:6412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        274⤵
        
        PID:12312
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        275⤵
        
        PID:12368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        276⤵
        
        PID:12420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        277⤵
        
        PID:12480
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        278⤵
        
        PID:12536
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        279⤵
        
        PID:12632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        280⤵
        
        PID:12684
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        281⤵
        
        PID:12820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        282⤵
        
        PID:12860
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        283⤵
        
        PID:12948
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        284⤵
        
        PID:13008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        285⤵
        
        PID:13108
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        286⤵
        
        PID:13168
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        287⤵
        
        PID:13248
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        288⤵
        
        PID:13308
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        289⤵
        
        PID:6180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        290⤵
        
        PID:7124
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        291⤵
        
        PID:12748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        292⤵
        
        PID:7556
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        293⤵
        
        PID:13220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        294⤵
        
        PID:13236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        295⤵
        
        PID:7116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        296⤵
        
        PID:12808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        297⤵
        
        PID:7172
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        298⤵
        
        PID:13200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        299⤵
        
        PID:13348
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        300⤵
        
        PID:13412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        301⤵
        
        PID:13492
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        302⤵
        
        PID:13532
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        303⤵
        
        PID:13624
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        304⤵
        
        PID:13676
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        305⤵
        
        PID:13752
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        306⤵
        
        PID:13852
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        307⤵
        
        PID:13896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        308⤵
        
        PID:13996
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        309⤵
        
        PID:14068
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        310⤵
        
        PID:14132
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        311⤵
        
        PID:14236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        312⤵
        
        PID:13324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        313⤵
        
        PID:13476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        314⤵
        
        PID:13568
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        315⤵
        
        PID:13816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        316⤵
        
        PID:8504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        317⤵
        
        PID:8720
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        318⤵
        
        PID:14208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        319⤵
        
        PID:8508
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        320⤵
        
        PID:13644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        321⤵
        
        PID:13976
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        322⤵
        
        PID:9740
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        323⤵
        
        PID:10192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        324⤵
        
        PID:1812
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        325⤵
        
        PID:14380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        326⤵
        
        PID:14476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        327⤵
        
        PID:14552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        328⤵
        
        PID:14644
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        329⤵
        
        PID:14692
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        330⤵
        
        PID:14784
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        331⤵
        
        PID:14836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        332⤵
        
        PID:15028
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        333⤵
        
        PID:15216
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        334⤵
        
        PID:1596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        335⤵
        
        PID:14768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        336⤵
        
        PID:15276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        337⤵
        
        PID:3276
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        338⤵
        
        PID:14844
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        339⤵
        
        PID:2252
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        340⤵
        
        PID:796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        341⤵
        
        PID:14724
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        342⤵
        
        PID:10660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        343⤵
        
        PID:14888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        344⤵
        
        PID:4380
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        345⤵
        
        PID:10008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        346⤵
        
        PID:15272
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        347⤵
        
        PID:4008
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        348⤵
        
        PID:10876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        349⤵
        
        PID:15088
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        350⤵
        
        PID:9744
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        351⤵
        
        PID:11164
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        352⤵
        
        PID:3552
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        353⤵
        
        PID:14672
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        354⤵
        
        PID:5044
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        355⤵
        
        PID:2064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        356⤵
        
        PID:4284
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        357⤵
        
        PID:12128
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        358⤵
        
        PID:12084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        359⤵
        
        PID:11036
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        360⤵
        
        PID:5256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        361⤵
        
        PID:14936
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        362⤵
        
        PID:15100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        363⤵
        
        PID:5796
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        364⤵
        
        PID:4768
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        365⤵
        
        PID:15412
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        366⤵
        
        PID:15476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        367⤵
        
        PID:15524
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        368⤵
        
        PID:15588
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        369⤵
        
        PID:15660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        370⤵
        
        PID:15712
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        371⤵
        
        PID:15776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        372⤵
        
        PID:15828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        373⤵
        
        PID:15888
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        374⤵
        
        PID:15956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        375⤵
        
        PID:15988
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        376⤵
        
        PID:16084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        377⤵
        
        PID:16144
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        378⤵
        
        PID:16200
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        379⤵
        
        PID:16296
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        380⤵
        
        PID:16364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        381⤵
        
        PID:15404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        382⤵
        
        PID:6148
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        383⤵
        
        PID:15192
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        384⤵
        
        PID:15804
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        385⤵
        
        PID:15880
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        386⤵
        
        PID:6808
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        387⤵
        
        PID:7048
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        388⤵
        
        PID:7652
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        389⤵
        
        PID:7964
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        390⤵
        
        PID:13648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        391⤵
        
        PID:15576
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        392⤵
        
        PID:7084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        393⤵
        
        PID:7836
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        394⤵
        
        PID:16180
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        395⤵
        
        PID:8404
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        396⤵
        
        PID:1688
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        397⤵
        
        PID:14076
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        398⤵
        
        PID:13452
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        399⤵
        
        PID:8420
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        400⤵
        
        PID:10100
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        401⤵
        
        PID:3012
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        402⤵
        
        PID:8820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        403⤵
        
        PID:9368
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        404⤵
        
        PID:16324
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        405⤵
        
        PID:9660
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        406⤵
        
        PID:9928
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        407⤵
        
        PID:8728
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        408⤵
        
        PID:10120
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        409⤵
        
        PID:10208
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        410⤵
        
        PID:16288
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        411⤵
        
        PID:9464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        412⤵
        
        PID:9700
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        413⤵
        
        PID:10104
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        414⤵
        
        PID:540
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        415⤵
        
        PID:9748
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        416⤵
        
        PID:16236
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        417⤵
        
        PID:10388
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        418⤵
        
        PID:10520
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        419⤵
        
        PID:10648
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        420⤵
        
        PID:10828
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        421⤵
        
        PID:11064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        422⤵
        
        PID:9636
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        423⤵
        
        PID:10448
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        424⤵
        
        PID:10820
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        425⤵
        
        PID:5000
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        426⤵
        
        PID:9476
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        427⤵
        
        PID:10300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        428⤵
        
        PID:11364
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        429⤵
        
        PID:11500
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        430⤵
        
        PID:11680
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        431⤵
        
        PID:11856
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        432⤵
        
        PID:6112
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        433⤵
        
        PID:5232
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        434⤵
        
        PID:4596
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        435⤵
        
        PID:5628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        436⤵
        
        PID:12116
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        437⤵
        
        PID:6220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        438⤵
        
        PID:10504
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        439⤵
        
        PID:12468
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        440⤵
        
        PID:6932
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\systemconfig.exe.vbs
        441⤵
        
        PID:7052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        34⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3252 CREDAT:275457 /prefetch:2
        35⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3232
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3244
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3244 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c time 00:00
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/o-YBDTqX_ZU?si=KI64texgPjTiIt1k
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:3196
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3196 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3600
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\advapi32_ext.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1480
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:868
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2484
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2316
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2088
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1056
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2432
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4144
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4604
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4952
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5196
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5392
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5520
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5768
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6064
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:5408
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:5888
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      PID:6544
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:6688
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:6808
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:6916
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:7024
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:7136
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:6540
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:6796
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:6916
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:6688
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:7120
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:6700
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:7224
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:7348
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:7448
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:7576
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:7708
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:7816
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:8348
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:8484
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:8616
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:8732
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:8892
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:9040
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:9204
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      Kills process with taskkill
      PID:8560
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:8736
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:8196
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:9024
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:1992
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:9276
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:9432
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:9544
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      Kills process with taskkill
      PID:9692
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:9840
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:9968
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:10432
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:10560
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:10704
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:10840
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:10960
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      PID:11120
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:11256
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:10584
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:10972
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:10360
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:11240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:11296
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:11460
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:11660
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:11808
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:11952
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:12100
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:12256
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:12592
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:12740
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:12896
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:13044
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:13196
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:7116
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:12808
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:13100
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:6668
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:13116
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:7224
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      Kills process with taskkill
      PID:13388
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      PID:13564
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:13772
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      Kills process with taskkill
      PID:13920
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:14076
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      PID:14212
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:13388
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:14428
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:14560
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:14712
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:14872
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      PID:15200
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:2172
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:2064
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:15084
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      Kills process with taskkill
      PID:15036
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      PID:15204
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      PID:9848
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:3020
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:15100
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      PID:3156
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:4900
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:2828
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:6128
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      PID:5564
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:16020
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:16280
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      PID:13296
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:6384
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:5008
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:8012
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      PID:6356
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM MsMpEng.exe /F
      4⤵
      PID:14232
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avp.exe /F
      4⤵
      PID:7476
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM AvastSvc.exe /F
      4⤵
      Kills process with taskkill
      PID:9068
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avgsvc.exe /F
      4⤵
      Kills process with taskkill
      PID:8628
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avc.exe /F
      4⤵
      PID:2704
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM NortonSecurity.exe /F
      4⤵
      Kills process with taskkill
      PID:16372
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM Protegent.exe /F
      4⤵
      Kills process with taskkill
      PID:8388
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM pavsrvx.exe /F
      4⤵
      PID:14468
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mbam.exe /F
      4⤵
      PID:9264
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM avguard.exe /F
      4⤵
      Kills process with taskkill
      PID:9664
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM mcshield.exe /F
      4⤵
      Kills process with taskkill
      PID:9052
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      PID:10904
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      PID:11676
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:12112
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      PID:5956
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:12240
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:7000
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:6652
- - C:\Windows\pei.exe
    "C:\Windows\pei.exe"
    3⤵
    PID:16028
  - - C:\Users\Admin\AppData\Local\Temp\194217946.exe
      C:\Users\Admin\AppData\Local\Temp\194217946.exe
      4⤵
      PID:8980
    - - C:\Windows\sysldrvcs.exe
        
        C:\Windows\sysldrvcs.exe
        5⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\956214645.exe
        
        C:\Users\Admin\AppData\Local\Temp\956214645.exe
        6⤵
        
        PID:12200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-695287569-7559772951198622584-878833269-33082836314881245321198606071747807743"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10755325841051939160982835887-426849993-12468623641773412835-5768654411131981341"
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a89d1b680f820f8dc21771cb268677c3

SHA1
c09678ba8229d27953e9f3ceaff25fed85ffec7d

SHA256
9877623d79f970f4876d17e99e380b643f040b63f10933409404643fe2e686d5

SHA512
4da3a600561bc97dd4d8c418f57cfd2db9774d46ff3ff18c5fb52912ab0ca0bb9525596655c2a3193fa668724d09bcaa9835572001e2429b0c651fa39ebdf19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C

Filesize
472B

MD5
049e5dad5c1b0e7951e4e48c9fc424ca

SHA1
fc06be30fcac8a98b35bc03a0bf360075227f124

SHA256
16698afd73ad28eded0534d3589d4297e82806dccd97cb622fc9880a75d46ebe

SHA512
87826e5e625a9f8c665b937dc509442e7f138a7f998f8fcf60ad3c95e37f18e2ad63c57197ab16c40db27aedbe3f4d5157e8cb96a142d216bee464cc5589dca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_F0A3BE93E1741F83EA2C0F5E175466D8

Filesize
471B

MD5
2cf5e31f6be86b5508474cf0cc463327

SHA1
1f830ed9d2726f4f172df858fd1094878e7542fc

SHA256
72a89c560d4e34407ddbb0366ad30b6fff76eaa61ec564c17b12de45561440fc

SHA512
1a75ee3b113454a981e510d0368c8d945797470e9f7d42df9478065eefbf67bc191c51ab783823ebd4fa66ca23ef626ea419563f39d60d357db0c583dd3df034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
55a9d47477efc448b7eed075b72fa283

SHA1
ad6f859f9505da554b2af374ecbb201bdbae6a2c

SHA256
000f5dccbfca60693c6a31af62f77f55c6025637be9b11f52c391d3687bc31bc

SHA512
75893543182291bd2a3ff611025ec5924e7b916aa120ef56b959b9053ea29aabe758612fa650df363e4cfe870808b7e37eeb3ca31cf769edfa5fe5dae09acedf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
60c54210f7bdee2d5b16654fa0edd034

SHA1
b84b2a4c9fc2696dffe46b01d788682183b2c58d

SHA256
f6d5da82e07910717ac37a122078bb607559a148efdb0a5ebc13a873f3613a33

SHA512
fe7b7c67652d5e5d1c334270c181b4c9515aa019bb55983c794dc4341a31d391ee97a918c69250ea1f8a9eb1355848382261269fccf480ebc0f6d3cbddf0f520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0f5c13fb931ce24f1fef5bf9f7fe9198

SHA1
fd49168594cccd58e2fbc8b36df29082f9d76b1e

SHA256
240e178d2d983e6a1a60ba7f954a3a563dd02cf7dc5cabb334d4aa4ec31b684c

SHA512
8a13ba481e7c0f484158917394f3644359251d20b6bedf11a7d13894b52e6f68bb71798f735459b198f6598dcb99e348413259fca7e8bd944747cdc0ca200f8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C

Filesize
402B

MD5
8e337d576b396a6700e7cc1f97225ae2

SHA1
1cb88fcc36525d186df7b205c0e3756efd0efedd

SHA256
df06ef4fee07960001a20ae12027086fe1fe836d6a09dd9dd3be68518e2920fc

SHA512
95a2e5f50043e76e09cd8ccab7f4ba8006b01caf9801054115626456fdc5e1a3b910dda36b69a338fe11759462ed6c114d8c6e75a90b57b8ed0ea062ff8137a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
40e15e40f0e86ca2ac8aec8f5cc4ec85

SHA1
e8bcf811f2a501f0970f10ea577edc0899530a5d

SHA256
9f8effc5c92a7b8ec4147f1a8c4248edc7ddfc0d6eae01199ad55112c611a1e0

SHA512
404eca36bc49ef4a2f9c49f27f7cbcaf901927601efcfb05268f01c48e2208c28d69b929ccc02909653b84c009c746042b8df8aa53c7ddbb6bbdf8c3bcd58c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d935d23065763041f2e52b722e5845bb

SHA1
2173612abea218d4d016af2cd992997cf2b4574f

SHA256
5943eda93ea094f1bceb646e1909e21c7ba5d8cda99142c1699c64a5967c008a

SHA512
2f93b4d925eb62ccc2e3cfedf07115977875125321c9e7f0e6090e08cebc28a0991053dc8e93c02b84f176da9a30dd177b203f734f80d16e8af9200cc911e21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2adcae55183a3e5e6cf8b1345fb28291

SHA1
58cda1371b941b1fee8e44b0aa087b4a567b07ee

SHA256
a8b6386248a2f237db8f699d4c30a2925cbebde87629289f29830c992946b481

SHA512
e87024d943aee15aebc2c2adc763d01bf3dc36cb46d22fc6593f8ee4216d3581263cfa18e9dd75e80b77b566b188b3e022c7f937baca5fbf80474fe9af616dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4118fc462c654ca3d8698e62d910a1ad

SHA1
b45c7788705408df412760d5e8dac951bfde6e3d

SHA256
1985f33687bf1837f8d0116c9c9d89dd63253a8ef8fff1a5170dcaa2a4d77181

SHA512
ed7996dcd1f44477ece0ad9e5bff058809bd6190fa0e6c5d944b1d41778b01d10bed9ff4e3a9aa4cb6b1a634209617f3cae7bb2db7faed934c0f76b209356892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ee95f50c7d5d66a32c097ce22fc020c

SHA1
940b380c305df32d78df7712f10a1018b83bd621

SHA256
085ddddcec88b17cb5e6d383ba05115c46028332cccbe401b0c0145d71f2141f

SHA512
a5b1202ee118769cbd3dc65f5215ee2327b83caa4aacfc3940d15151d3d5aae966776363a9880426522f929981b84166cf80524b27f2d9f7a17a538ecba9408d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b63afa26b58258c2e682f0482bcdb80b

SHA1
3bb35e9d56b0aee1a1bb54def0e486d6e7b980be

SHA256
503799bbb066bbfe4fae131970756664d4d3efe4186bc5f939f1743ffda0367e

SHA512
a999e1c9bb727e4ede203513bbd496e9841f43bc49f2129c787561c3092fae85db10a4617c144e455b9aec613631d6c47b2467052541759ab6873723fd4963b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4759277df1f34224afbeeb2dabb748f2

SHA1
f71f02919b32de090ad4b356e3adc74d6b55636c

SHA256
eeabc2999649a338e91370c1604c37d1887be8127e6156ba018a149b4ee38d34

SHA512
c1eada1e22208cbf01adb69ac05b3d409491118293bc65145c4a2c1a02a69083f50ac54d79b712333f2a09f16928e56fe367b01b6e0d654d568ac7d31fd72625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1da2b9a7fb9312cdca2265dbb3c7d4d

SHA1
30bfff2444af63e75dfcddf07d98b39d1db58404

SHA256
bd50b1ed418b6a8affe67d78cb68310a564faf829410896d532fde785a5a4760

SHA512
4555d0bb2236a0bdd908c060bf4926de892f60445465499ac423110cc8073622fb92c4c2306b9e65ab9e9f6e8134982f86c77b1e38f1b836a43e158863fba355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d346fc4ab4d684d7a616eecc28be4db0

SHA1
2a475c9c3a7b9e766bb7ca4b6b09477a78430984

SHA256
a0bbfadc8e33fae25202bb414d617b934090eb4a168dd1753c1b92eb8cb59149

SHA512
8024f30d3a2dac6f247ada80af225eb17389ef4ff924bfc33a0bdd65f080ebcd165489cb5ad7ab8e47c4b751f60aa3d1010d1e07b47b10381c0c34e25238c8b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
390944b0bd3a89880ddb4410d90a6b24

SHA1
8df42f54241ed873567a1d1ba56570eacf2924cd

SHA256
6a1124e6c52dca379a9ae409048f539f44e5f0bab4226f769d5e21dfd6dab1e1

SHA512
4d82b9519f86b3ee358e873babd3e7d95ef92042c0a1ca00566b9e028f374f434c627235c0541fcc028a799321705cd4a5f8764d6304f15a07a46820f6d8c994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
097b36fb1ca23b87ac0be1e94acd58c4

SHA1
e277fa63e36d9592a7e02701b94df943c353d7c2

SHA256
b410adae28c4daa9d4a710a4a3a7026bd8c9aab377ef6089493d57c63ebebc47

SHA512
b0739b99d0a1f46ed117448f9a5ae7d367e4bd3109e8a577851e260a9e981ff8518914aad28f8f7c0e477c6284597f2a061583ba2aadc264f9ef2cdc27e2ead0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6a60ca0cf39f2b8448984f3be35485b

SHA1
e2b7e085118cc37a694c2aab6d34cb977be3008d

SHA256
bc60a60b70a6d99953bc0ea5acdcfa73061d0283b0f70b2f5ffe4f55d46f7571

SHA512
9fc5b0d4c07da6ffaeeb835e6eaa1f9f9b9775da690d6fcc1e5a90e472001b033d95259ad3e25b57018e17232037d0e32444d6a57ee4dbef6a25b0830dcf4661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d1b2093a70e52dfaffc6e2c3ebbf070

SHA1
1533a653b515095e53349f49cf345f32058bef9e

SHA256
59d6cf2f1718a336d2c56e84c658bd5999314218673946bf533e2b280ae96cbe

SHA512
5fcedcb04fb82a49163ad986c4a664ec1d6ea8450d6615869afdd190684987995e7d01bdf09895b39cacb323d988e6ed8835cb2f79138a31adecf4fc14eb1ac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d85b5a4e8c6f22a6c029353432a13098

SHA1
cf36e13a986cdd04747b4a12493dcd69a3c9cfa4

SHA256
37e5618839398edc3954fd1a4202404a2940106bfdea22b4c5196bd289238b4b

SHA512
e308393805d99cdb904f6c80839f1aaedf5387a1b99a2893cab6699d57ba4b53311cee2f6907b78c81fed42656845488f4e46375f25247fce67c0615019e24be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9463c2ca0d3ba9d8a42b833da4db34a

SHA1
930150529dada33c54fdb41115982bcf4dd97368

SHA256
103d79dcbf115b976d325b680d6405631382f3245c53db103ef430574ac48add

SHA512
aee7b93154167d48f203cb198facb251e9ddfcc71775fa30f452cd1c008126d84a0b3198a3331061f22611f617db0bb2014c08f718d0adffbc8e3846e9a52e70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fad0256bbc29ebee838d1ada5ede18e3

SHA1
d533a55dc5d6788e6e5419018ca95059e86ce16c

SHA256
dfcd65e7500b94384cf1c411998463b81e9b305d09f8dc322c8f35ffdc590536

SHA512
98202cd44a5354ddd5fc966603b136b2b9d71e2d021a20ec337cd309d5c4d9d052b1c25604061385777e8df2d9fa72f56581d8444b4659ebd171f718089e3cf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
729f0890d893d5a0ad911e4c57081f3e

SHA1
f0b37a694e5fb6fb306c14e1ff25b145fefd2a83

SHA256
dd2c273b84ea4f9b9fadf28af31a82bd8dd67e53747298730a29dd3ab906395f

SHA512
63eb5915c543d439908c79d9e9683f1960874c31ce22580c3542049eb20d2ef4f66118f341ad929a7d13833b303bb23d0e928f8dc77ab63f4c0d393df7cfa6ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd332dc7f81db64df36a30fd8012f222

SHA1
f6b6e4d9e987146365bab0f31f0b76d8cf410c06

SHA256
0c2ac9cbab87b3e905b206edf63d6bff4e6d8f68d76b6595f771f885d3557c50

SHA512
b97786a9ad7b3e79e3c48cc976fb7a69f8f2014faf1af82c51f332c072a75ee61c3488306706692676dfc1067ddad20a331ac1544ece88f4c0ad22d206024cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b9fb841f139a1f1062f19b86ce9ba7a

SHA1
d05f99cecab722c7a222f3bcf97c6cdebe52011a

SHA256
eb92eab0bdbc1df4d59b93a4d40324edfa068869f66489a4a6960b7b3ebc302b

SHA512
3bcbebf594d6bbc9bc7be9d3ffe63d1ad367aa3776840580501bb45b77c573e64e4ec8863ec4ae28aa8369c1815c7e794ff2d508a63156ef586c354af39c0fba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06df7b03a0f46074f2883f2da87f6bd2

SHA1
5ab0d3be9b61a0396a7bd26e49e4bd819c8f2480

SHA256
c8273f55dccd0912543ced3a14fccbfc814c2c1722dca4b891792f4b06d93867

SHA512
6c8b171dea621558bf622ce9fd59e3e7c51d990810a4741e47dcd03f5df3653901876737fe26111ae6642942f7b2dea89c0255489c9474e6180d976a6e1e520f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa82ff24f065453eb3d0396e528191ff

SHA1
8ea0eb22df86034a89b26f94e19bdd505e622759

SHA256
e0ef3a0d271ad18a7d182d775ee419ab0ce7bdd3738f3492d62785b02ac6a162

SHA512
06f9d74e169054114e04587fd60bcc3cca8aa49cffca31a88a2f6429cfc8a64d8537a9f07ff7adf6e1c36cc50cc6c9740debb836d02cf7ac6a510fe39e2fc96a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
491ee641aa305602d12553b5b0e79995

SHA1
167cc9239347ae6e3ebe3ed5cec477963a12f9bb

SHA256
e654ddd286b9c9ad565534903f0193a725e66a2618d1fd847bc9711a6cd3c8f4

SHA512
2de81ec4823d2897a582b8cd5194f1c02378af5e3e99ce713c25fb1b5930c408ca881083f7a316cd64c02b28acafd6beb23349d0e865d43a9efedd286c0b5e8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9ecb2f44390fc856c715caf0933c8ad

SHA1
86b832e58ccfd3ae184c3d6c2a03f8768af89439

SHA256
e287a966d4ca43abbb95264a4fbea60fcce1256766bd40edf0d47d3b3aa2be30

SHA512
c1b46a95fc84bb9531a08fd111aafd476660992cf7761881661b80ffc65c62ae538077ee35fc4de92bddc733db0564494816d9745b3bb0b41aa88da6645d3591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37a8ce8f89446d196d0fd1061bd21fa3

SHA1
22832d30ade962cca3fe5cc6ba8af57f5002368c

SHA256
27fc24fb004fceb8be99b1c73b38621a8dc4d5c41116fa759ba8e4b6a5b75dce

SHA512
9892da00903f69cab1601954ab2c4cedb5c6679ff8ed7f5d775defb1a594ece12c72c254552d885847dad009db4a095a5e79ffe5f79d725eaf45baa8fec9d60b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14e7b55faf6395776bbcbe07116596c8

SHA1
510477195803a1c912b8bb82a5a00c40de131c8f

SHA256
7236938044c6d930810f4dbaea1798caedecffa69b8cfc4fa6b27f94f4b95f6a

SHA512
92c8fec24f3a0587990ec334f104c46e49982fe95f6e18e816af42055a7c2b09f7cc57c2b515ebc625812efc60c356ea0ff316f84b00dd12613bb8d088f1e461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de38c712b878e96cc33ddc8a23e32dd0

SHA1
19002b7643bc1c08f4794f2a83e9127c96136096

SHA256
77202cf49affae14e1910362641a1e728ee5afd37c5b4cc046b8689c41d6a1c0

SHA512
d1a5e58420264a2540a1d704d3929cf4d967a9aec873c63b92cbc5c267ae43eb7a764c18bda95e35bf8ba15b7d75a91cd6cb572136bbfb9f27fb0c2df0cbacfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
034b07886d2180f2a6c4c4207ac29d65

SHA1
b36e8bb0f6e35c8137dd6c0342c3e48ec2e7e9b3

SHA256
046f7b21dd65dc386a697554b90d2f3f1379cba573995ad4f4ea86e3fed9070e

SHA512
39972aecebfba23e129e075919e12ed6c7b7b75821431588aef8c2cfcf0e947f2ec2d17208b10016c99c88fc84171023cd16f7c4375250c0452bb3eccbdfda79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_F0A3BE93E1741F83EA2C0F5E175466D8

Filesize
406B

MD5
90d7d62f37b9a8f8db97d6508761b173

SHA1
7b3eddd9999ec2fc935feac2f681d95e51c68415

SHA256
7c9528984434cac610108827576b605c4ca79c18a32eccb32f1b6ce8613ea637

SHA512
443d21eab1815bb84c7e997c75c50e2f26ae680434d2a4d75e7f7e83c90c5e9e7ffedc459c93a4aa1d5ec50d15d2d2b7c6d2c0debb62aae4f60f20d8739b8b5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
addf41d7d14e12d1d7a48faa7fd3d543

SHA1
5be9629f67b9228d0b8e7ed44e71f99f742f5d36

SHA256
199db083693f801b9fa20a0ca034b6e7345cd299d250a4bedf25cc65b62df1de

SHA512
4fd157bc16401bd258b5998e88564e44a7dfb096c381cf639b891fa9619cb500d88a196098d75682683e18b06b44efdd59a090948009ef71790cfcc772e7a03d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98752C41-06B0-11F0-87C7-F2088C279AF6}.dat

Filesize
3KB

MD5
bcc305e6635a6583545df27cc34dda14

SHA1
2420d19c3e1055547916ab3fcdfd5085f3849f42

SHA256
970514e8ee0264b884d19492d32b8d85b18afa58edab92cad95a7e47102a0a95

SHA512
0cc511d0b1b4dba26bb48597293c7f14e7e7d261578bcb3ee27fb7f1627a1e8e5b28cb67d89877c54176f943f333315218a0c6fde91fdafd10cbe42b2b6933f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{987C5061-06B0-11F0-87C7-F2088C279AF6}.dat

Filesize
5KB

MD5
315a387757c3f937595d599fdd96110d

SHA1
f38a88e512b4c88593b9e0cfba258294ae7a1831

SHA256
0860ceb5e9e187f7bdc26d597d23773e826151179fc5ddc68e09dd356d546f98

SHA512
f7b81d27b051d65ea5b1e80783fe8b4136e5e5efd4a1c86655d84399ada8d2b407e39bc54777e194119412f7a032ba5118e3c50e43e3676718c04adb8551e78e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{987C7771-06B0-11F0-87C7-F2088C279AF6}.dat

Filesize
5KB

MD5
a5dfff79a7528e4ce85801b3aed23327

SHA1
f8691b326bc7ceba5d8bdb45457671e0c7eada90

SHA256
d46dad666871e5a4185d928230b8c6f69f86efc31825510ff5eb5435ef992d10

SHA512
261b64331bf4806bf6aee0efa353382fb7fb31110f6b3d8a83f509c7f56b16cb59c28e029ae6cfc7a27376e6af2ba710b453f3087134add0497757e108097baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{987EB1C1-06B0-11F0-87C7-F2088C279AF6}.dat

Filesize
3KB

MD5
05af74416ce30817eb3d2353fbbb7c2b

SHA1
5b30a99df312f0a445afffb56dd7d347878dd1db

SHA256
c95751991a307239027dd2b7f6fa49b3c696df1c2faf9a2e7090235c0a92f99a

SHA512
d08bd766d236c4069ca0a071299031f13216ffa90025547c1513476eea25c1b2839dd9ff720875c8af013aed935a54a7fc8188bc8cac55f510528eae89480abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
1KB

MD5
3e419bda248d418136b3ba82fc74df83

SHA1
3e01e212ba8249382698e1175ca160c46c0d91d5

SHA256
c70d92fe7991e895aec38a468b70d8414092b7109e17b939389efd899056e422

SHA512
c7393993b31130cdb53ce669a88991753a929de09b2c6b132342e1f00244bccd83b8b9bd4e1893aae2db2ad6171ce5a9bceb00191efb587fab85f659c35feba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\chrome[1].png

Filesize
6KB

MD5
ac10b50494982bc75d03bd2d94e382f6

SHA1
6c10df97f511816243ba82265c1e345fe40b95e6

SHA256
846a9b551e74f824fd7ace3439a319b0c0803449e8caec9f16e2666e38a80efd

SHA512
b6666b540aef6c9c221fe6da29f3e0d897929f7b6612c27630be4a33ae2f5d593bc7c1ee44166ce9f08c72e8608f57d66dd5763b17fec7c1fb92fc4d5c6dd278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\edgium[1].png

Filesize
6KB

MD5
01010c21bdf1fc1d7f859071c4227529

SHA1
cd297bf459f24e417a7bf07800d6cf0e41dd36bc

SHA256
6fb31acdaf443a97183562571d52ce47dd44c1a8dcb4087338d77ea2617b286e

SHA512
8418d5ac3987ee8b6a7491167b0f90d0742e09f12fceb1e305923e60c78628d494fcd0fee64f8a6b5f6884796360e1e3ec1459dc754bbfb874504f9db5b56135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF[1].woff

Filesize
18KB

MD5
d77dde5a38a8920bc8e0d7ffcf5e031c

SHA1
c4e4a8aba5c128b7d5be9eee8525da2cdbd4d760

SHA256
58cf604e2059ebd4fe016f9b7422cc4cd653a589239ac7b4ce27f964e5cb8967

SHA512
574f162bdf8ce1163fe7cb33984ce961aa4b46b3a3a342c487ae199dd71f31e70e3d5f900fff9c2b88e15b6505d3d204702cbd8882830b01a54f6f3bb791c4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\firefox[1].png

Filesize
9KB

MD5
7f980569ce347d0d4b8c669944946846

SHA1
80a8187549645547b407f81e468d4db0b6635266

SHA256
39f9942adc112194b8ae13ba1088794b6cb6e83bd05a4ed8ce87b53155d0e2f7

SHA512
17993496f11678c9680978c969accfa33b6ae650ba2b2c3327c45435d187b74e736e1489f625adf7255441baa61b65af2b5640417b38eefd541abff598b793c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\dinosaur[1].png

Filesize
57KB

MD5
bdda3ffd41c3527ad053e4afb8cd9e1e

SHA1
0ad1bb7ce8d8a4dc8ac2a28e1c5155980edfab9b

SHA256
1a9251dc3b3c064cfc5e2b90b6c7dc3c225f7017066db2b77e49dae90a94a399

SHA512
4dc21ef447b54d0e17ccd88db5597171047112ce1f3f228527e6df079ce2a43a463a3a1e4255828b12f802d70a68dbe40b791852134be71c74de97718b2f1d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\yt_logo_rgb_light[1].png

Filesize
8KB

MD5
d654f892f287a28026cd4d4df56c29c8

SHA1
98779a55fe32a66ebec8338c838395d265e45013

SHA256
fc6f5d8f32f13d5855840234dc1bff5c91c35318ee2192d99b13eb3572f0bca8

SHA512
3668902aeaf792ad73ba51e0a4caaa520ebc38177791dfac9a9b28026c3bde99e721bf54d626f266a19cfd045a6d2dc8c8e70e53a2c5ee524c6f2736bb0ce409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff

Filesize
23KB

MD5
30ef7351c99d2cd25159e6fc71e6c6fc

SHA1
5e44b3f6ead8d9aba512a9efac3ec0015a01e6e6

SHA256
6ba203ebcc641340ab5eedea7652697bc6e7e11def4c8e2e85d7493e0d4b1e76

SHA512
375750efaff14bdb39507c00db04c279d93d1e01027afa58fde65146bf627081b9aadd0b7f8d59f569abca39ab6d9b89bf3d84f61da90786794c94ee91bb6439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\KFOmCnqEu92Fr1Mu4mxM[1].woff

Filesize
23KB

MD5
1ac185dda7da331babe18e8d84ec6984

SHA1
1ffcb05cec93b6cb5a43a280ebfb99fe1f729ce4

SHA256
f00fa16d99be425022af380773c6b55cb44898a4568052c1a728ff9a383c9095

SHA512
f24abd0a39a6fb4635b507ab0b86b69a4efe214f69f7b5e22ae5deffaf56e0c4e5b980493e1df3fcb8a385ec603a02c1aae00832fd09d444722cd15afe421ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\opera[1].png

Filesize
2KB

MD5
5cb98952519cb0dd822d622dbecaef70

SHA1
2849670ba8c4e2130d906a94875b3f99c57d78e1

SHA256
02f95fbdb68f232bffd4f2c0fdd033d6c83b829c610cddccc0b1d43e2274e6a7

SHA512
5f29b7459fbd01e16dbd196e4bcddf109af017cccf31337abe1cec6cc5a84711fc2cd34ad7a35d9432a9d7e42ca23d7f6c9d4315396429d7b8e48b9491696afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4503.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\Desktop\READMEPLEASE.txt

Filesize
263B

MD5
3ef0278e79a3b141585b0eb66d965dcd

SHA1
2c5a34b067b368adcb8daad4b6ead6c4a1a2ef26

SHA256
defe7e5a9ae1aa925ca79cc6f7b1c56368bcf21b48668e1161449ed96bb6774a

SHA512
b21fcb3dfc37680fe6669818505101fff46a0848a5406e5e94c5dbe4c6031bb47cfe4763d21fa8d966c8e09e8e5050c4e35bc1f0cfdedcb6cb63bec9db34221c

Download Submit
C:\Windows\SysWOW64\msvcr80.dll.bat

Filesize
137B

MD5
d3c8cdc769514ce85192750f1902c2ac

SHA1
bebba274b8268a749dc3010700bfd762b57386f0

SHA256
e69ca202d729a3a721f87fcbc4510479c59cd2423294a269204466474943725a

SHA512
66b63f8af41575ac1b486735efac9155e1dfe37d83e74944ee77b8a5ec3632c3bc0a0aefa1c2fe04ccff439ee09b32ea2176bf815f84c4cc2dc90a4e953e31f0

Download Submit
C:\Windows\System32\systemconfig.exe.vbs

Filesize
1KB

MD5
f7f9da3c5b7b83cceaf4caaefaacf294

SHA1
a1e8fdec05acbbee9db2f800c71c5d71fd9593d8

SHA256
fa5361028ad789b0423c8528a333748e628efc214f74a89840ed678abd068f79

SHA512
53ec381354624b46ae12024216e95d6303e697023d9b8e4f69c03a4dc096f6dcdad5253a5b2bdbb813b66150f132ebe9845f722f53e1f82d6bbd7e51a11dae7a

Download Submit
C:\Windows\advapi32_ext.vbs

Filesize
1KB

MD5
12fab7544912da13a25635c1c2c40044

SHA1
35ffec9f570c66a5ad2e4c733ffec8c00c546bb4

SHA256
82cdaf326f78c9ef5f6b5fd7c1307ca53efb80ea76775097cba45bfad276fa8d

SHA512
8820a71932941ea55114e974702eb4459f1019f43471e8abd9b84728c57454b539147f355e825cf99977c3a0369f7531cc2362caf1ca78609fd5f057f2b6e018

Download Submit
C:\Windows\pei.exe

Filesize
10KB

MD5
4c52cf849be8954638925c242e0cc976

SHA1
949ba0061ea9dbe3b9059bb2a7b20caa74861280

SHA256
fa6fcf2e154c0b18b12ab86267ccd38d79cc9c27e7e261a7e9201a0a9dd9d0bb

SHA512
c11572dcd274bdcb5e94cf38ec36aa65e4d5605df250ee8887cd5098b044e3e2e71be3b3292118b967e27bc752b5cf5d9c8da5ac2834b7c156302c307abe123b

Download Submit
\Users\Admin\AppData\Local\Temp\194217946.exe

Filesize
101KB

MD5
8a30adfbb8c9ed8170177ce8c5738fbf

SHA1
2d029ddd39fe81a08982dd4309a74045aa91004f

SHA256
72b19310a8c3cdfc23be1041eb773e6e41a08ec608e53b027b32e05a275b1da9

SHA512
8885308b53b8d1baab14a98ec257acac9c700f2cebe48cbb79a25e3d7133f0016ba082ec9f8397c9b1677375dd5a1d3894d813aba5947f267b44b012fa6a027f

Download Submit
\Users\Admin\AppData\Local\Temp\956214645.exe

Filesize
13KB

MD5
181921fd5d4f7e043b446392233698ee

SHA1
0f710714ea4c01446dcb2ea4f29256fd53633f5c

SHA256
aed4ab578ba8613117a2132bee215cdc3b360a1d9f993ad937ed3eecd7e9f3e6

SHA512
a04699fa408ceb79f89cf61f2bea6ab85b6d93b52989f7d5ba6bdb22964fe8bc2a19aa3e1a02b063b11f8a63f3d3582ba0a621b97d911c27e2010fe9df5c6172

Download Submit
memory/2844-5-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2844-4-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download