52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56

max time kernel
1076s
max time network
1205s
platform
windows7_x64
resource
win7-20220812-de
resource tags

arch:x64arch:x86image:win7-20220812-delocale:de-deos:windows7-x64systemwindows
submitted
26-10-2022 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

8^/10

collection persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key enumerated	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\70f62c6a7f1739bd\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e4dca80246863e3\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9d91276b0be3e46b\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	iexplore.exe
File opened (read-only)	\??\D:	iexplore.exe
File opened (read-only)	\??\D:	iexplore.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Suggested Sites\UserIDGenCode = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\AutoHide = "yes"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LinksExplorer\LinksType = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807de02916e9d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "270"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup\margin_right = "0.750000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7479FB60-5508-11ED-99DD-66E385D9D2EC}.dat = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0000000001000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 02000000010000000300000000000000ffffffff	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}\LogicalViewMode = "2"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\1 = 6a003100000000000c55e87010004d4943524f537e310000520008000400efbe0c55e8700c55e8702a0000002c3e00000000040000000000000000000000000000004d006900630072006f0073006f0066007400200057006500620073006900740065007300000018000000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 0100000000000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 200000001a00eebbfe230000100061f77717ad688a4d87bd30b759fa33dd00000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 03000000020000000000000001000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\3	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000020000000000000001000000ffffffff	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{834D8A44-0974-4ED6-866E-F203D80B3810}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010004000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005ac000000000000002000000e6070a004100720067006d006a0072006500780066006c006600670072007a0066006c007a006f006200790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000010a2faac14e9d80100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e6070a004600630072006e0078007200650066003a00200047006200610020006e006800660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000098fdd3e915e9d80100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004900760071007200620059004e0041005c004900590050005c006900790070002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e6070a0049005900500020007a007200710076006e002000630079006e006c0072006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000200000000000000000000000000000000000000000000000000000000000000606f198514e9d80100000000000000000000000049005900500020007a007200710076006e002000630079006e006c00720065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 64 IoCs

pid	Process
320	OUTLOOK.EXE
1840	vlc.exe
2932	vlc.exe
3280	vlc.exe
3660	vlc.exe
3784	vlc.exe
3900	vlc.exe
4432	vlc.exe
4544	vlc.exe
4800	vlc.exe
1376	vlc.exe
4532	vlc.exe
1296	vlc.exe
6076	vlc.exe
5756	vlc.exe
5028	vlc.exe
3080	vlc.exe
5516	vlc.exe
6156	vlc.exe
6336	vlc.exe
6996	vlc.exe
6164	vlc.exe
6360	vlc.exe
6420	vlc.exe
6316	vlc.exe
6776	vlc.exe
676	vlc.exe
6868	vlc.exe
7468	vlc.exe
7516	vlc.exe
7696	vlc.exe
3508	vlc.exe
5132	vlc.exe
3776	vlc.exe
3744	vlc.exe
2468	vlc.exe
4292	vlc.exe
2400	vlc.exe
8052	vlc.exe
2228	vlc.exe
7856	vlc.exe
4868	vlc.exe
3612	vlc.exe
8200	vlc.exe
8396	vlc.exe
8440	vlc.exe
8512	vlc.exe
8796	vlc.exe
8848	vlc.exe
8964	vlc.exe
9032	vlc.exe
9156	vlc.exe
7804	vlc.exe
2824	vlc.exe
9108	vlc.exe
1776	vlc.exe
6508	vlc.exe
2612	vlc.exe
9288	vlc.exe
9436	vlc.exe
9484	vlc.exe
280	vlc.exe
1080	vlc.exe
9900	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	chrome.exe
296	chrome.exe
296	chrome.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
3312	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
296	chrome.exe
296	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
7260	chrome.exe
440	iexplore.exe
440	iexplore.exe
440	iexplore.exe
440	iexplore.exe
440	iexplore.exe
440	iexplore.exe
440	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 64 IoCs

pid	Process
1840	vlc.exe
2932	vlc.exe
3280	vlc.exe
3660	vlc.exe
3784	vlc.exe
3900	vlc.exe
4432	vlc.exe
4544	vlc.exe
4800	vlc.exe
1376	vlc.exe
4532	vlc.exe
1296	vlc.exe
4688	explorer.exe
6076	vlc.exe
5756	vlc.exe
5028	vlc.exe
3080	vlc.exe
5516	vlc.exe
6156	vlc.exe
1700	iexplore.exe
6336	vlc.exe
6996	vlc.exe
6164	vlc.exe
6420	vlc.exe
6360	vlc.exe
6316	vlc.exe
6776	vlc.exe
6868	vlc.exe
676	vlc.exe
7468	vlc.exe
7516	vlc.exe
7696	vlc.exe
960	setup_wm.exe
3508	vlc.exe
5132	vlc.exe
3776	vlc.exe
3744	vlc.exe
2468	vlc.exe
4292	vlc.exe
2400	vlc.exe
8052	vlc.exe
2228	vlc.exe
7856	vlc.exe
3612	vlc.exe
4868	vlc.exe
8200	vlc.exe
8440	vlc.exe
8396	vlc.exe
8512	vlc.exe
8796	vlc.exe
8848	vlc.exe
8964	vlc.exe
9032	vlc.exe
9156	vlc.exe
7804	vlc.exe
2824	vlc.exe
9108	vlc.exe
440	iexplore.exe
1776	vlc.exe
6508	vlc.exe
2612	vlc.exe
9288	vlc.exe
9436	vlc.exe
9484	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: 33	4840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4840	AUDIODG.EXE
Token: 33	4840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4840	AUDIODG.EXE
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe
Token: SeShutdownPrivilege	4688	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
440	iexplore.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
1840	vlc.exe
1840	vlc.exe
1700	iexplore.exe
2932	vlc.exe
2932	vlc.exe
2100	iexplore.exe
2116	iexplore.exe
2132	iexplore.exe
1840	vlc.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
2404	iexplore.exe
2932	vlc.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
3280	vlc.exe
3280	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
1840	vlc.exe
1840	vlc.exe
2932	vlc.exe
2932	vlc.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
3280	vlc.exe
3280	vlc.exe
3660	vlc.exe
3784	vlc.exe
3660	vlc.exe
3784	vlc.exe
3900	vlc.exe
3900	vlc.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe
296	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
440	iexplore.exe
440	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1484	IEXPLORE.EXE
1484	IEXPLORE.EXE
2100	iexplore.exe
2100	iexplore.exe
2116	iexplore.exe
2116	iexplore.exe
2132	iexplore.exe
2132	iexplore.exe
1840	vlc.exe
320	OUTLOOK.EXE
2404	iexplore.exe
2404	iexplore.exe
320	OUTLOOK.EXE
320	OUTLOOK.EXE
320	OUTLOOK.EXE
904	IEXPLORE.EXE
904	IEXPLORE.EXE
2932	vlc.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
1700	iexplore.exe
1700	iexplore.exe
3280	vlc.exe
3312	iexplore.exe
3312	iexplore.exe
3372	IEXPLORE.EXE
3372	IEXPLORE.EXE
3660	vlc.exe
3784	vlc.exe
3900	vlc.exe
3540	IEXPLORE.EXE
3540	IEXPLORE.EXE
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
904	IEXPLORE.EXE
904	IEXPLORE.EXE
3372	IEXPLORE.EXE
3372	IEXPLORE.EXE
1700	iexplore.exe
1700	iexplore.exe
4260	IEXPLORE.EXE
4260	IEXPLORE.EXE
4432	vlc.exe
4544	vlc.exe
320	OUTLOOK.EXE
4800	vlc.exe
3540	IEXPLORE.EXE
3540	IEXPLORE.EXE
3540	IEXPLORE.EXE
3540	IEXPLORE.EXE
4956	IEXPLORE.EXE
4956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 1964	296	chrome.exe	32
PID 296 wrote to memory of 1964	296	chrome.exe	32
PID 296 wrote to memory of 1964	296	chrome.exe	32
PID 440 wrote to memory of 1484	440	iexplore.exe	35
PID 440 wrote to memory of 1484	440	iexplore.exe	35
PID 440 wrote to memory of 1484	440	iexplore.exe	35
PID 440 wrote to memory of 1484	440	iexplore.exe	35
PID 1700 wrote to memory of 904	1700	iexplore.exe	34
PID 1700 wrote to memory of 904	1700	iexplore.exe	34
PID 1700 wrote to memory of 904	1700	iexplore.exe	34
PID 1700 wrote to memory of 904	1700	iexplore.exe	34
PID 1956 wrote to memory of 960	1956	wmplayer.exe	38
PID 1956 wrote to memory of 960	1956	wmplayer.exe	38
PID 1956 wrote to memory of 960	1956	wmplayer.exe	38
PID 1956 wrote to memory of 960	1956	wmplayer.exe	38
PID 1956 wrote to memory of 960	1956	wmplayer.exe	38
PID 1956 wrote to memory of 960	1956	wmplayer.exe	38
PID 1956 wrote to memory of 960	1956	wmplayer.exe	38
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 816	296	chrome.exe	39
PID 296 wrote to memory of 1580	296	chrome.exe	40
PID 296 wrote to memory of 1580	296	chrome.exe	40
PID 296 wrote to memory of 1580	296	chrome.exe	40
PID 296 wrote to memory of 2088	296	chrome.exe	42
PID 296 wrote to memory of 2088	296	chrome.exe	42

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:440 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:440 CREDAT:2896905 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:5732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:904
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:537606 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3372
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:5649414 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4260

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62b4f50,0x7fef62b4f60,0x7fef62b4f70
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1096 /prefetch:2
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1724 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2436 /prefetch:2
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3892 /prefetch:8
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4140 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4240 /prefetch:8
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1824 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  PID:10160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:10176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:10196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4204 /prefetch:8
  2⤵
  PID:10224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 /prefetch:8
  2⤵
  PID:11216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4244 /prefetch:8
  2⤵
  PID:11220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
  2⤵
  PID:10060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=992 /prefetch:8
  2⤵
  PID:9524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=ppapi --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=2632 /prefetch:3
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:9732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:8472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:11600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:11712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:11800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:12192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:6632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,14296092637355652720,4450012274187167850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:13464

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:320

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:960

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:548

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2100
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2116
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2132
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2580
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:4142114 /prefetch:2
  2⤵
  PID:3428
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:16843 WinX:428 WinY:83 IEFrame:0000000000013134
  2⤵
  PID:1744
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:82379 WinX:428 WinY:83 IEFrame:0000000000013134
  2⤵
  PID:9532
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:11592
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:82379 WinX:428 WinY:83 IEFrame:0000000000013134
  2⤵
  - Modifies Internet Explorer settings
  PID:3092
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:11876
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:603148 /prefetch:2
  2⤵
  PID:12184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:3749111 /prefetch:2
  2⤵
  PID:13340
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:3486744 /prefetch:2
  2⤵
  PID:12236
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:4142259 /prefetch:2
  2⤵
  PID:13032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:3224731 /prefetch:2
  2⤵
  PID:13364
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:2372793 /prefetch:2
  2⤵
  PID:13396
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:2700334 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:13372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2404
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2776

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2128

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3264

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3312
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3312 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3312 CREDAT:209936 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4956
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3312 CREDAT:668677 /prefetch:2
  2⤵
  PID:2020
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3312 CREDAT:734213 /prefetch:2
  2⤵
  PID:548

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3432

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3452

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3592

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3660

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3672

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3752

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3792

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3832

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3844

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3920

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3948

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2576

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3176

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3472

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3736

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3704

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:3128

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3492

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3292

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:4152
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4172

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4208

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4216

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4308

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4488

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4508

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4688
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4800
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:4172
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4172 CREDAT:275457 /prefetch:2
    3⤵
    PID:1252
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1376
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:600
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:600 CREDAT:275457 /prefetch:2
    3⤵
    PID:4772
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:4164
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:1680
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:5200
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:1780
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:3252
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:1696
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:1300
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:3568
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:4140
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2412
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1296
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:1952
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
    3⤵
    PID:5604
- C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
  2⤵
  PID:5892
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:5156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62b4f50,0x7fef62b4f60,0x7fef62b4f70
    3⤵
    PID:5196
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5444
- - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    3⤵
    PID:3776
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4524
- - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    3⤵
    PID:5472
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:5736
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5736 CREDAT:275457 /prefetch:2
    3⤵
    PID:5156
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62b4f50,0x7fef62b4f60,0x7fef62b4f70
    3⤵
    PID:5192
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5028
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5460
- - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    3⤵
    PID:4316
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5512
- - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    3⤵
    PID:5848
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5444
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3080
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:2492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62b4f50,0x7fef62b4f60,0x7fef62b4f70
    3⤵
    PID:5460
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2732
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5164
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3084
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3200
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5516
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
  2⤵
  PID:3204
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:2428
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2656
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:5324
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2844
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6156
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" SYSTEM
  2⤵
  PID:6236
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6336
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:6408
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:6440
- - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    3⤵
    PID:6476
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
  2⤵
  PID:6596
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6664
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6984
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6996
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7016
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7048
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7076
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7100
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6164
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6152
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6252
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6360
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6488
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6420
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6428
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6316
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6776
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:676
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6868
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7276
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7468
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7484
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7516
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7640
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:7668
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7668 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:7904
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7668 CREDAT:26489858 /prefetch:2
    3⤵
    PID:9908
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7668 CREDAT:1455120 /prefetch:2
    3⤵
    PID:9932
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7696
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7708
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7824
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7840
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6648
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6616
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3508
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6000
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5944
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5132
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5544
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3776
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7332
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:1076
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8060
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3744
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3380
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3652
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:5812
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:6844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62b4f50,0x7fef62b4f60,0x7fef62b4f70
    3⤵
    PID:6520
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:4288
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1500
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2468
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5288
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4292
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2400
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6556
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2044
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2228
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8052
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7856
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7368
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6676
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4868
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8200
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3612
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8224
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8396
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8416
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8452
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8440
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8500
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8512
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8644
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8688
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8704
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8788
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8796
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:8840
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8848
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8964
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9032
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9156
- C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
  2⤵
  PID:6640
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8664
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
  2⤵
  PID:8660
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7804
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9076
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9100
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2824
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9108
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8332
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:4636
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5308
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1776
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6508
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2612
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9272
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9288
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9376
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9400
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9436
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9452
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9472
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9484
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9652
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9780
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9840
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:9876
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:9900
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:10016
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  PID:280
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7796
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  PID:1080
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7816
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6656
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:1140
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6628
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9968
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  PID:9900
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10016
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5632
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:6544
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9360
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10160
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10196
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:1740
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:5928
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:10200
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:1864
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2988
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:8596
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:5548
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:968
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:5116
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7660
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:4660
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:1832
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:10256
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10388
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10576
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10636
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10664
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10736
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11040
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11124
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10384
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:8356
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:5564
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:3504
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10468
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10476
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:8056
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:3096
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:4168
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:4348
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:6196
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies registry class
  PID:5492
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5492 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    PID:10524
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2072
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5492 CREDAT:865300 /prefetch:2
    3⤵
    PID:12024
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10380
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11108
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:7608
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11196
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6740
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:2320
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:7448
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:7996
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10900
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11096
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:4108
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9940
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11060
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10088
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:7968
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10952
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11248
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:3908
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:8000
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:7968
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:2556
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:9500
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:4368
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11296
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11312
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11520
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:11556
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:12160
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:7180
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7180 CREDAT:275457 /prefetch:2
    3⤵
    PID:7208
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:1728
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11552
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11560
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:4388
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11516
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:11960
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12132
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:6536
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:9752
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10812
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10768
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11948
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11512
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11744
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11828
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11656
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10348
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:6128
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7860
- C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
  2⤵
  PID:11856
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:11484
- - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    3⤵
    PID:11944
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10144
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:11344
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:12156
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:3232
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5848
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:5080
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12336
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:12404
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12424
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12448
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12560
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12592
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12616
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:12632
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12640
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12720
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12752
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:12820
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12844
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:12860
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12920
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:12984
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:13076
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:13092
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:13120
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:13160
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:13184
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:13196
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:13236
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:13268
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:7924
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:11132
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11132 CREDAT:275457 /prefetch:2
    3⤵
    PID:2748
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11904
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:1968
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11896
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:5112
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10204
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11800
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:1572
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:2496
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:12832
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:11640
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:4504
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:13344
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:13536
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:13552
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:13752
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:13792
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:13828
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:13852
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:13880
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:13952
- C:\Windows\system32\SndVol.exe
  SndVol.exe -f 25690543 12411
  2⤵
  PID:14124
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:14288
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:14400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62b4f50,0x7fef62b4f60,0x7fef62b4f70
    3⤵
    PID:14412
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:14420
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:14976
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:14984
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:14828
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:14828 CREDAT:275457 /prefetch:2
    3⤵
    PID:14756
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:14836
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:14908
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:15108
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:15140
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:15220
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:15264
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:15344
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:15296
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:15296 CREDAT:275457 /prefetch:2
    3⤵
    PID:15248
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
  2⤵
  PID:13932
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11600
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10800
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10336
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:14204
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:10648
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:14588
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11980
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:15180
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:14788
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:14028
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:15516
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:15536
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:15560
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:15660
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:16064
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:15596
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:15596 CREDAT:275457 /prefetch:2
    3⤵
    PID:4228
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:15656
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:15668
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10672
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11648
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10096
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:14804
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:15692
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:9576
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:14792
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10248
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:11668
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:13464
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:13592
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:11860
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:12580
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:12000
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:12000 CREDAT:275457 /prefetch:2
    3⤵
    PID:2212
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:848
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:13820
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:3856
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:4980
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:7480
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:14732
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:14488
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:9648
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:1796
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:10120
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:15056
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:15064
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:16000
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:16040
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:16040 CREDAT:275457 /prefetch:2
    3⤵
    PID:16380
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
  2⤵
  PID:16048
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:16200
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:13212
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:16324
- C:\Windows\system32\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  PID:10192

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x588
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:6296

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5492

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:7284
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\windows[1]"
  2⤵
  PID:15820

C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\msfeedssync.exe sync
1⤵
PID:12260

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00ccea5adfb37affd1eb3fe40c2e734c

SHA1
c5ccdc0e98ae91e7feed8bf302869116e3e9a5f4

SHA256
4126bb62d88b7b64403d71b55271c714ac75b7a485d45165e382fd441e4dff91

SHA512
c11e2cf439f7cc5715e60fa4582ea2dea4d956b6072c9f896cc1de4c899b7615f8984799fec7147b4279a384122e2ab99fdce4f372d473bc0fe45992e11f5fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41724224178e625e37d7d670b25c1c28

SHA1
8ee295887579a364ab078d21a283bd2d04537904

SHA256
0bab90cd0fcc397a49036ebbf02e272f6b9613f2a84a27f77aaa888dc234c8db

SHA512
3fb43e095293e78be0f55ee71518aac84d78df358e457a503a335b72545171b86367c17ddd91c3126802fa2055e5e42bb8f486f794f33789d23516f8da7578b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c7f5d5d281c3df72b2120b6b380068

SHA1
b4c23d2ccfdcacfd61f80bbed8f3adb25a4a5c7d

SHA256
07cc063d6c3d44631d156f164e22fea149281d9488caa2bb93f4ab329c3d6101

SHA512
0d946d698be087a6d97e033b20b4e0ec6fc036a24086d5dc5b4a672d99e4dd5c02dc98b30f615b8390a146ea4471450aca0ee70fda3fa30c92a760d06e665c71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c5a96f3a350b524be70919672133c07

SHA1
6f43e3f81cf0ae1156b51ca7c96dc72961692741

SHA256
87b4d8d6e33cc524bf1393e79a85135147da9454bef4ca121b8d511ddc2729c5

SHA512
c540ebf2de1933f3971251be6822616afa4ac115d1ef75bc869583bb54d6e1977b182383b2b2dce74059e8ed3c7d362b79e58ef7130a400f77d56843f6326f85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c834e0592059001a3f3a80a059b53ead

SHA1
e8d44cf376f599979ae95d9594cbb92d260464d1

SHA256
b19ab75fa17b7d7cef8b436e515066899ca1c7dc637d83074642380e70c6c3cd

SHA512
685f7e2d34da7a0b002c1f14eefddd143f933c97b81aeccf13472cb1157e6a05487c00b2f13154149ae06ca3dc8ca3e06d0665458485c203b5ae44292b32e860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a3a3f970e265532ce72ef6b5ebba0d5

SHA1
8d0d3fe5afbd66bb08b8990a795a5a4f7e9916e7

SHA256
db78c2059288676163b53d3b37c3dbb7f215f75e7008a11d26205ed486b0cd1b

SHA512
2ac23ff62119311782192dcd262123d74878e230ea19f6cfaa19c1eceae03273778f052ee1594f8cd4a9bf0e138c79debe29b1dee482b5c5d2e9c607a941104d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be0f1cbe6bf11481b922617abcdc9de1

SHA1
44543bbfced76a6a49ad139151290306d649abc3

SHA256
cd15e4b8b5038f26efcf05c8110383c753c11e0b71b2c0e307af90ded905762d

SHA512
d6f1b28390c5b0eb19af829cefc745b0a7bd0078daa940db163e3a6c8113427b0be8be42fedbe454885c26b0131e40c7a6434e711bfdfc44d7794b4063f74c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fe7ed76757bb14d4218aae15dbf96bb

SHA1
a56dd69a5aed1103258be44fa0eed595f3a27ae5

SHA256
529b93ab1d9759d74198175e94d45ef68e0d2b63d99b4826a2416cbf8c8f0a61

SHA512
bb63ccadcb764c9e87870c8cb421190dc12ab1a416cd01a38f60c4de45ff1f25b4449349b68269c9f3ae46125358deb293c05694b432296192395c1d5347ae51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
508ef3b3fad41466a34461bda7016bed

SHA1
48057d7dd832499885c9b2a4a187cfa4736521ff

SHA256
c34ea644a85d4ff68aabedccf28d264d90636a5cfe9102abf280e1b3ea3428fa

SHA512
1998207e7d5695a4db983f65401ef26a83dd0a539b925fcaca81a54edca5699e83a02da13a9625d5f4ed5cb8dcb8428fec4f333d5b91f5063b6c4d0c66be162c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49ed040158e62a7b9b14d621f36ac151

SHA1
1d142adb92b8ee3b134468edd843ca11ec8f84a4

SHA256
43404677309c94b90bba5fba29751a04268ebac35ef9c476b3a3fe0191a105e1

SHA512
40c6b0cf76a150664e23967239162d2897ef3431aadc8512dc580954bfa48810a1a30b275803a5a688f60ca6fa0ec450866f0dc6c00fffbc97b38aedec470b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47779d2000e5953736f332f071723770

SHA1
9bf2d7d0c55937a6c6f5fc663f99fe6368259534

SHA256
d1f9be1a1c0c8adc8162d7a54cefd0a7f04c59114301512e92fc0c9d9b433c10

SHA512
a3fbf3046444f74b9b5627fdadb0a6e915c3cde8bb8be0767cc2c7dc1f5edf1e33e7e672e12a04bfcd827737666e04f8d8531f8259404a04c4dbcc07c504859b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68346a3d959fb787551fd140bf6f9407

SHA1
966ed36cd5435f947909ca426026ad17bed21271

SHA256
14cb5ad9d4d4cb274c34168b4e239525025882eaa34d85b66336fa88e597f52a

SHA512
7566a985b749733c70ca066a1289f9753b2712dad3ee0024c5646ab90a3d8335d34b68e52020ce223717ebe095b2a69c4b940cf950cbcf50b9c0a44e0b6506e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6757083d68b9e0dc7ce0a3dc8a1398db

SHA1
63093e6ef2bcc889529addd19f1857690f79c376

SHA256
71b24c0b19d2c2139e08b251ddca89236516f31011fe74d689e306046ad698e3

SHA512
81910288aaee44ecc7b713de0a036d5f460d6522f7b98772e85aa6a953eb83707b2150970162946f9be129af28143d95b29def20b79eb4aed9fdc76c4c404ce8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b098200f41fcc30d7084df141f2e8f63

SHA1
526a5eacef4c301c7518b2eab22cd1c2b0df519a

SHA256
37d889d8b2cfbf5a1549eb7d8edab781d6689300867a0769519cd10b844f0692

SHA512
13457f53baab30b9332808459529a32d5ebc547ddae6d7faddc5e2d9874b57a2ab2f8b0a4355c18ed52f6ba46316f7496c51343c36cd9039d4350ab1fb62aa74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d99d95daafb4240ef216b2f962b5f96

SHA1
090f8e34c5ddf7e41eaf604596d68b4bd44234b4

SHA256
cc8eeb483f39c2f9eb01dcaf828acf1ea56e68eafa58dd67d86be6a2b7fd98e0

SHA512
b42bb61e8e3fea1dcf667675543a96f322e8d3d9793c2a52d7f2889e6e6afcf2c2f0535ee605615b9c41a4092193f5854b8e56d69750df4b4f472d04fdef064b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e747ad546cc26196d0f0ef0e20bbe657

SHA1
33815783a926f8291ca918f245f81f216cb28cb8

SHA256
090256d129a94d5b66c1a62c933c2b27e71988e7d8cb0b31683e9b623e859c22

SHA512
cdf53ca994a91e923048bca01c0aef9b97bda078d76f665aef57feeb96bd55618d4059f0f10596f3566f6b34e3c5f82518681ec27fbdb48c5227d0a84e420fd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
898e728e002077e980f871c1689e191f

SHA1
88b5a8c9992462ec7c4101e122c8df6371c69be9

SHA256
0d2616ab3e0219c427bfe0cfa9f8a8fa2474c630b90f1406fcd3bc9a32fa6d92

SHA512
5a9e08c8eb158607bb7507beb8c2f86d86a45184f37c6d5af117be55b21335b4aed75d075bebfbf30b50ab7e18eb0ea46225f9e151f28e2ba90f489609ccb3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
521a1893eab69081774f7249eeda647e

SHA1
5feb315ad19d987261c236d97e5e9f667a2b1956

SHA256
41dd5a81f7ed50f8ecd93be7cb36b11194356135ce6b20046eeb164e54b938c2

SHA512
bce848a36c12424d37465cd87afbf7550d57632b589cc3f88867f4f2c6d9e2e0ca5d98e208db9628a9e70e94037e9b2af6adfa4ba10af8359a2cbc3352dcd26e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
562816d6ea0b0deeb05d9faf8ef8a973

SHA1
1a6cdb0c90c8ab04ba42418b5b6207bc512eb47c

SHA256
0be6b548d24759eceaa6c5ad0ecbe0947a14ac34d8401ca26e37a4045f366c26

SHA512
3136c3e9c56b780df0c43027703d76015dce17d32fed948ea7248c47e14e306dfd457d63e505ea3fed1140daffa61c9d9489ca3607481e1bfbbc9c652c1bd6cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94cdb362ead86a76ed91772fd16844da

SHA1
c58d83a4bbcf6eafb0b7f63c6408d3a81a9fe2aa

SHA256
742d11cb2cc9ecb2a47adbb92471309c9923db83417db6719af5bc6d6f9f81ba

SHA512
1f937eeafab87f45b2cdd44bf2c18a5b09286cac4350167bbe10ac8463422ff86bcbf1eba81ee63a3829b287ad049e0df3957af886f1089c1d06c040483f9ba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1357b8f4e677f34d854a736cf24a09ae

SHA1
ad1cd9deb23dc36ad57f7b982ee48cdf0f4db800

SHA256
5884b89ca55f03e2ecd7a598cf7cdf353a639020ff7954c85e27c1f4cec1f9fb

SHA512
c764f84814d7c933fbbeb7b5aff5e35103500cf2951b5b6380c0132d2c9c58043b7bc91d8c730a01c5fbc8181840292d72901bc978f1e73d5d4182e85b96b99a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c56a2b649c44144b78e6e12cd2c629e

SHA1
4142645adf87c579c8d2c7676315443f2090699c

SHA256
81e16b0e8ea4f98dc8250da4bf9119a926a0819dfcce723054fe1529f83a2c6e

SHA512
951c7f2699c42a85335fc7c0388d54c1ca628b8950855b127ca04b4440a184f5b52ce29f8e86bf89e502734585ed87a8da1b15ec95afe6c62c020a5974253347

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed6ee0ccef27e8eaaa207e84d4c0cfbb

SHA1
a64fb92322975f57bab45209fa6d62ddd48c00b3

SHA256
9b304751bccc46470a1ed655964e711da694ea06f8044da017b61a67121ca676

SHA512
203becd67b55d13d2f60ccf74f09ec428d48258c1079a2ea16049a2e9a9aed6d97780457f9b8abd99b8b8a860cfcad1e81e32b74bad5cea0ad47810766f5648c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed6ee0ccef27e8eaaa207e84d4c0cfbb

SHA1
a64fb92322975f57bab45209fa6d62ddd48c00b3

SHA256
9b304751bccc46470a1ed655964e711da694ea06f8044da017b61a67121ca676

SHA512
203becd67b55d13d2f60ccf74f09ec428d48258c1079a2ea16049a2e9a9aed6d97780457f9b8abd99b8b8a860cfcad1e81e32b74bad5cea0ad47810766f5648c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed6ee0ccef27e8eaaa207e84d4c0cfbb

SHA1
a64fb92322975f57bab45209fa6d62ddd48c00b3

SHA256
9b304751bccc46470a1ed655964e711da694ea06f8044da017b61a67121ca676

SHA512
203becd67b55d13d2f60ccf74f09ec428d48258c1079a2ea16049a2e9a9aed6d97780457f9b8abd99b8b8a860cfcad1e81e32b74bad5cea0ad47810766f5648c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed6ee0ccef27e8eaaa207e84d4c0cfbb

SHA1
a64fb92322975f57bab45209fa6d62ddd48c00b3

SHA256
9b304751bccc46470a1ed655964e711da694ea06f8044da017b61a67121ca676

SHA512
203becd67b55d13d2f60ccf74f09ec428d48258c1079a2ea16049a2e9a9aed6d97780457f9b8abd99b8b8a860cfcad1e81e32b74bad5cea0ad47810766f5648c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed6ee0ccef27e8eaaa207e84d4c0cfbb

SHA1
a64fb92322975f57bab45209fa6d62ddd48c00b3

SHA256
9b304751bccc46470a1ed655964e711da694ea06f8044da017b61a67121ca676

SHA512
203becd67b55d13d2f60ccf74f09ec428d48258c1079a2ea16049a2e9a9aed6d97780457f9b8abd99b8b8a860cfcad1e81e32b74bad5cea0ad47810766f5648c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A36BF231-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
10KB

MD5
76c5b2028bab5e450d24241799e1cf56

SHA1
4ceeca53f628f773a204911e42e26e5404e5432b

SHA256
92674924975a77964d74ea117e24f10c280f32638557ea2e6290ac3787f79985

SHA512
0c72baabdf6644b6e1e80a5634745e28a535375b1d8e485faf9cf5ef30c3edcba1ec96c89f262252956e5a1c6f49dad39579b1a96273a5c6b108e8a071dd9850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A36BF231-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
10KB

MD5
5c88c50b60011ee38f6729927705ae89

SHA1
d25d88eea2db4449fc69bb7583013919139524be

SHA256
10a5e182e2eea323abe614b60ee8af2b825e826da02a6e29cd6be30956e9b306

SHA512
8aacde69cf0623adaeb7baab3238acb4f115869ebc99ec60058696c9fff520e04bc792de2ee751e26aec8fe047bc454d9d0f569509e65948bb888780e6b634a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A36BF231-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
4KB

MD5
28df7cc4a28ec4345aba64c490f97468

SHA1
acc05bab97a28de1f88abd489b676b666b70c879

SHA256
e6448cf119d4464e233f48bf6e567b8ef3431fcb58d24ae9ec762121c1445c2b

SHA512
b547672e072c5a983fe98a15068bd7a960a175c4e8e7d2565ab0b1f6697d3368d4f92a68bf36c8ee1e801ea4a183944aa83412f3d883c8470079d1a86b7f8dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A36BF231-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
5KB

MD5
afd0245406ed996c726d719d1acd70d0

SHA1
13ea8a9d571e3ad676bc2f2f001c4eb922111d9d

SHA256
e1de0b5fa10645141825092a4c38259f196ba82f048f358740b1222c2a837dc4

SHA512
982b1f5e1fff36d9abef5f5b2343e2f5ce31598a4b92fe000a9cddd839b9b2adb1adf2a919990954f77af1e83746f1bdc2e25c5f8ea7dadfa8d7e2df4479f97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A36BF231-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
6KB

MD5
a0a49659171f5a52636acbc14303c59b

SHA1
c06f3fcdfbe19be4222754f8d339143b2ab7f04d

SHA256
74ed91298dbc8f57589dcb140c126df620ba66b0cdec55f2653ac287f8d606d3

SHA512
2dc34abd2735316a8e6a019bf081cef92f7b30b51a36ee65c0875de43058b8f269ea6b16abe17a5a72b319e4d73cb879284f63fe60f0395c63a2983e5f4dfee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A5C88F71-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
5KB

MD5
23c5d988cbf8ed0328af26b9113b3a59

SHA1
5c6c88565653cf297c405535598d34f91cbb576a

SHA256
a36682cd45114442da337abf264ba29ac902009dd4dc102eede97a0895d0b71f

SHA512
a646107c62703eed1a2b65f8789838f998e3083e5afb5cccddbd307b772a34e8f4438501cd938b16e286771a12c391f32298df340313d3d50248c9c49a9dfe28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A5DB9A71-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
5KB

MD5
910f7bb33473d1069784068b7101db28

SHA1
2457db0cadf1b4c4cdcdffab2495ca723c72538a

SHA256
f5ba8b7da90ee22489f0f65128ccc1a5554df6bb934e897a15ad5414f0e05661

SHA512
233a8f8ab3fc8adb7db4ef4e8634e67d8484493a47895412a205ce798b9c037191fad6e86b340330e6115fd7ca0f51e78e9c78fe9e8c798bdeef6df71f99826f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6D0E751-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
4KB

MD5
4c314caf8c141bf9c4ad5e3839173a81

SHA1
f7aa7985a9eeaf719d847ef9dbb68b322a31578b

SHA256
e142b69e8089804a548b651e03a6370434a8d9af4177c40b68424a333c523ce3

SHA512
d90767150aa20d189d7fef27b944b9794d049f988e50876229edc92b133409581786b6ce7167738827aff2ad48b953c8396d662d468a9d84f5116398d8edcc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6D0E751-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
3KB

MD5
d95ceca59d94bcabaa752084e5a15091

SHA1
6618ad8be0941182857cac613b4e4ac387ce60f1

SHA256
bcabd503d78fee0a0d1f8a04a023a24d49f450056f49408866f451761ce07c42

SHA512
4f82463ac50a7113c34103ecf5e50c98683bd5498c37210d49f18186a08f48d2989a7ee9b0678965a5596d4a0570a72f0b849dbce945197a1428f89d89157004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C61079F1-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
5KB

MD5
3189d00b730129bff631f8d3ec485752

SHA1
686ec5042337964d4df8e9efc1e23852f9bbf61a

SHA256
9a291d06b4e6d4c0d6fd4afd2ff305ce76800e0d5c315cbc6145b09ed1789311

SHA512
a01485e0fc1e82608332a3a3d55dd9bd480ae5ca07e482955c2f99cedefd403dfb67fd1921890c637eb2dca242b1b6affc1f2025f1202b6cafd93781700e3cb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C66577C1-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
3KB

MD5
1c541722a9199856392689b05e762589

SHA1
33ff7868e5e720b8920079ecddd720216c4cf8ea

SHA256
fdfa530db1d6941cc9e266e1d9cbf681b4538a03dabea5693566bef51df78801

SHA512
8da847390df05c86f0525fb0de3362834102d731bdcab339a3122310e1d76cf1064b3f984bf73679ee7b62a86c6cbf5f0f630c1570f0b4ce980c9459cc4f245e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C93A69B1-5507-11ED-99DD-66E385D9D2EC}.dat

Filesize
5KB

MD5
a8d6bc884e9db1260fc15117feef0583

SHA1
044e1361fc24ddde7ae8fbcbfc1b5c4ccec266b3

SHA256
6fbd8bf26b250b30f8d52df03ee6dda2afa3415edfcc682828c9081ef3918f42

SHA512
83a8d8a76e89fcd8b838594b74f13742265b1fe75cd5fd6f0b148ef375db32c5ffaffbf258aeec2aed9dfacc97f1d1b34e8040d43a6a206f8141bd66d0169bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y9JWP165.txt

Filesize
606B

MD5
96f76f429a0d9c83c8eb22f5b3ceef0d

SHA1
3ec8285f8a36ea2ab9d44957b46f005fc9330a14

SHA256
54161bdefe22d3c7426e26936e53a4c1f995231166294a03c5201df682e36c6d

SHA512
63a58e024e43deb47ce33e485e761a8371047a46cd81e8973cdf9d5358c11112f6942def0f596b499b6a2204ad18e5d3e5dbce8b1a22c04d31fffb13ed724553

Download Submit
memory/320-66-0x000000006A0A1000-0x000000006A0A4000-memory.dmp

Filesize
12KB

Download
memory/320-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/320-62-0x0000000073B7D000-0x0000000073B88000-memory.dmp

Filesize
44KB

Download
memory/320-57-0x0000000072B91000-0x0000000072B93000-memory.dmp

Filesize
8KB

Download
memory/320-77-0x0000000073B7D000-0x0000000073B88000-memory.dmp

Filesize
44KB

Download
memory/960-54-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/3484-561-0x0000000073B7D000-0x0000000073B88000-memory.dmp

Filesize
44KB

Download
memory/3484-567-0x0000000073B7D000-0x0000000073B88000-memory.dmp

Filesize
44KB

Download
memory/4688-112-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download