3d233d7990665bdc22a168ef3bb774026f568ff59485210e99e6e0872bcf734c

Analysis

max time kernel
149s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ParrotCr4shv2.bat
Size

151B
MD5

583c75717a6c1be4062dca3474a83a7b
SHA1

70be6e4193320b86ef3f6f246a408a559b2ea6bb
SHA256

3d233d7990665bdc22a168ef3bb774026f568ff59485210e99e6e0872bcf734c
SHA512

ef4f561058555e4429c544cc7d0534b262c8f5da14f10c91e511e1047e18dc0d11ad11dfc8c5d3164bcbd9f41fd74909b888c1f67807158de499745232acbe69

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1380	mspaint.exe
1172	mspaint.exe
1748	mspaint.exe
876	wordpad.exe
1500	wordpad.exe
876	wordpad.exe
1500	wordpad.exe
1500	wordpad.exe
876	wordpad.exe
1172	mspaint.exe
1748	mspaint.exe
1952	wordpad.exe
1380	mspaint.exe
1952	wordpad.exe
1740	mspaint.exe
1952	wordpad.exe
1740	mspaint.exe
1380	mspaint.exe
1172	mspaint.exe
1748	mspaint.exe
1380	mspaint.exe
1172	mspaint.exe
1748	mspaint.exe
1944	wordpad.exe
1944	wordpad.exe
1944	wordpad.exe
1740	mspaint.exe
1740	mspaint.exe
792	mspaint.exe
792	mspaint.exe
2008	wordpad.exe
2008	wordpad.exe
2008	wordpad.exe
792	mspaint.exe
792	mspaint.exe
2132	mspaint.exe
2132	mspaint.exe
2228	wordpad.exe
2228	wordpad.exe
2308	mspaint.exe
2228	wordpad.exe
2132	mspaint.exe
2132	mspaint.exe
2308	mspaint.exe
1500	wordpad.exe
1500	wordpad.exe
876	wordpad.exe
876	wordpad.exe
2412	wordpad.exe
2412	wordpad.exe
1952	wordpad.exe
1952	wordpad.exe
2412	wordpad.exe
2496	mspaint.exe
2308	mspaint.exe
2308	mspaint.exe
2496	mspaint.exe
1944	wordpad.exe
1944	wordpad.exe
2640	wordpad.exe
2640	wordpad.exe
2496	mspaint.exe
2496	mspaint.exe
2640	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2040	832	cmd.exe	32
PID 832 wrote to memory of 2040	832	cmd.exe	32
PID 832 wrote to memory of 2040	832	cmd.exe	32
PID 832 wrote to memory of 1172	832	cmd.exe	30
PID 832 wrote to memory of 1172	832	cmd.exe	30
PID 832 wrote to memory of 1172	832	cmd.exe	30
PID 832 wrote to memory of 1276	832	cmd.exe	29
PID 832 wrote to memory of 1276	832	cmd.exe	29
PID 832 wrote to memory of 1276	832	cmd.exe	29
PID 832 wrote to memory of 1152	832	cmd.exe	33
PID 832 wrote to memory of 1152	832	cmd.exe	33
PID 832 wrote to memory of 1152	832	cmd.exe	33
PID 832 wrote to memory of 2008	832	cmd.exe	34
PID 832 wrote to memory of 2008	832	cmd.exe	34
PID 832 wrote to memory of 2008	832	cmd.exe	34
PID 832 wrote to memory of 1684	832	cmd.exe	45
PID 832 wrote to memory of 1684	832	cmd.exe	45
PID 832 wrote to memory of 1684	832	cmd.exe	45
PID 832 wrote to memory of 680	832	cmd.exe	44
PID 832 wrote to memory of 680	832	cmd.exe	44
PID 832 wrote to memory of 680	832	cmd.exe	44
PID 832 wrote to memory of 464	832	cmd.exe	43
PID 832 wrote to memory of 464	832	cmd.exe	43
PID 832 wrote to memory of 464	832	cmd.exe	43
PID 832 wrote to memory of 1380	832	cmd.exe	35
PID 832 wrote to memory of 1380	832	cmd.exe	35
PID 832 wrote to memory of 1380	832	cmd.exe	35
PID 832 wrote to memory of 1416	832	cmd.exe	42
PID 832 wrote to memory of 1416	832	cmd.exe	42
PID 832 wrote to memory of 1416	832	cmd.exe	42
PID 832 wrote to memory of 1460	832	cmd.exe	41
PID 832 wrote to memory of 1460	832	cmd.exe	41
PID 832 wrote to memory of 1460	832	cmd.exe	41
PID 832 wrote to memory of 1456	832	cmd.exe	36
PID 832 wrote to memory of 1456	832	cmd.exe	36
PID 832 wrote to memory of 1456	832	cmd.exe	36
PID 832 wrote to memory of 1852	832	cmd.exe	40
PID 832 wrote to memory of 1852	832	cmd.exe	40
PID 832 wrote to memory of 1852	832	cmd.exe	40
PID 832 wrote to memory of 320	832	cmd.exe	39
PID 832 wrote to memory of 320	832	cmd.exe	39
PID 832 wrote to memory of 320	832	cmd.exe	39
PID 832 wrote to memory of 1192	832	cmd.exe	37
PID 832 wrote to memory of 1192	832	cmd.exe	37
PID 832 wrote to memory of 1192	832	cmd.exe	37
PID 832 wrote to memory of 1748	832	cmd.exe	46
PID 832 wrote to memory of 1748	832	cmd.exe	46
PID 832 wrote to memory of 1748	832	cmd.exe	46
PID 832 wrote to memory of 1504	832	cmd.exe	48
PID 832 wrote to memory of 1504	832	cmd.exe	48
PID 832 wrote to memory of 1504	832	cmd.exe	48
PID 1684 wrote to memory of 876	1684	write.exe	49
PID 1684 wrote to memory of 876	1684	write.exe	49
PID 1684 wrote to memory of 876	1684	write.exe	49
PID 1852 wrote to memory of 1500	1852	cmd.exe	50
PID 1852 wrote to memory of 1500	1852	cmd.exe	50
PID 1852 wrote to memory of 1500	1852	cmd.exe	50
PID 832 wrote to memory of 1516	832	cmd.exe	51
PID 832 wrote to memory of 1516	832	cmd.exe	51
PID 832 wrote to memory of 1516	832	cmd.exe	51
PID 832 wrote to memory of 912	832	cmd.exe	52
PID 832 wrote to memory of 912	832	cmd.exe	52
PID 832 wrote to memory of 912	832	cmd.exe	52
PID 832 wrote to memory of 1248	832	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ParrotCr4shv2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1276
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1172
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2040
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:1152
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2008
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1380
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:1456
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:1192
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:320
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:1852
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1500
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:1460
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1416
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:464
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:680
- C:\Windows\system32\write.exe
  write
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:876
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1504
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:1516
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:912
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:1248
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1952
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:984
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:1548
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1568
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:1496
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:1088
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:928
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1944
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1092
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:792
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:540
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:948
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:1456
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:1040
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2008
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2076
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2144
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2152
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2164
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2188
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2228
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2236
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2276
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2328
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2352
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2368
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2392
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2412
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2460
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2496
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2508
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2548
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2576
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2588
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2640
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2660
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:2724
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2736
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2744
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2756
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2784
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2808
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2816
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2844
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:2876
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2904
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2944
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2956
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2984
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3020
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3000
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3048
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:928
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2056
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2100
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:1092
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2256
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2168
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2324
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:2236
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2368
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2480
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2700
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2636
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2628
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2612
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2588
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:2800
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2828
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2864
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3068
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3016
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2072
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3032
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:1248
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2348
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:1092
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2432
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2804
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2584
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2920
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2604
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:2956
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2224
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:2996
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2620
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2636
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2612
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2960
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:2720
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3096
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3136
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3172
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3180
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3472
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3188
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3196
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3204
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3220
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3228
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3248
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3640
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3240
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3260
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3268
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3276
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3296
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3304
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3312
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3320
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3748
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3328
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3340
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3348
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3364
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3376
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3384
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3396
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3892
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3404
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3412
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3432
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3444
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3488
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3500
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3512
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4024
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3520
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3528
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:3540
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3560
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3572
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3608
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3632
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3004
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3648
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3664
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3684
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3700
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3708
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3716
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3728
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4204
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3756
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3768
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3784
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3804
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3816
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3832
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3840
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4372
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3868
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3884
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:3908
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3940
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3948
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3968
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3976
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4556
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3992
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4036
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:4052
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4060
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4092
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3148
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2256
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4712
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3152
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2792
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3604
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3984
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4104
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4132
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4152
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4920
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4164
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4184
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:4212
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4244
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4284
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4312
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4328
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5084
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4344
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4384
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:4404
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4432
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4472
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4484
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4492
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3248
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4512
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4532
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:4564
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4588
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4628
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4640
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4672
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5264
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4696
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4732
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:4752
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4780
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4820
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4836
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4856
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5472
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4880
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4912
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:4936
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4956
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:4992
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5004
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5016
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5652
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5036
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5068
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5104
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4320
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3336
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3456
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3180
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5796
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4144
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:3260
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:4400
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4948
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:5156
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5172
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5184
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6020
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5216
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5256
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5280
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5288
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:5340
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5352
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5360
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3400
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5388
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5420
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5444
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5480
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:5496
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5540
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5552
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5976
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5564
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5600
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5632
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5664
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:5696
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5724
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5732
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6336
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5740
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5772
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5812
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5844
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:5880
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5896
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5904
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6508
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5932
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5944
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5996
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6032
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:6052
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6088
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6100
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6652
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6108
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:6120
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:4128
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3112
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3512
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3008
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5440
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6824
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5628
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5808
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6152
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:6184
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6204
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6236
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7020
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6244
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:6252
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:6272
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6312
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:6352
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6368
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6408
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:588
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6424
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:6436
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:6452
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6496
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:6528
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6552
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6584
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5788
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6596
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:6604
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:6620
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6640
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:6696
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6724
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6760
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7324
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6780
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:6788
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:6804
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6856
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:6884
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6912
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6944
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7512
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6952
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:6964
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:6984
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7028
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7048
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7084
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7100
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7692
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7128
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:7140
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3568
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4552
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:6592
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6756
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5464
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7872
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6800
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:4336
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:5016
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6996
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7208
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7232
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7260
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8048
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7276
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:7284
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:7308
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7340
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7356
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7408
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7432
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5360
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7448
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:7456
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:7476
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7500
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7540
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7584
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7612
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8216
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7620
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:7636
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:7668
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7704
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7740
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7764
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7788
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8392
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7804
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:7816
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:7844
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7880
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7912
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7948
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7976
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8584
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7992
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:8000
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:8024
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8056
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:8084
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8120
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8148
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8784
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8176
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:5784
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:6028
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3876
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7652
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7888
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5904
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8948
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8168
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:6664
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:6832
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8228
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:8252
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8288
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8320
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9156
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8336
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:8344
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:8356
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8408
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:8420
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8480
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8500
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6584
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8528
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:8544
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:8556
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8592
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:8612
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8656
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8696
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9360
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8712
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:8720
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:8740
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8760
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:8808
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8844
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8872
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9556
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8888
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:8904
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:8928
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8960
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:8972
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9020
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9040
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9772
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9068
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:9088
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:9100
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9140
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:9180
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6820
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6240
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10036
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8692
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:8896
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:7520
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9224
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:9256
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9284
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9292
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7100
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9316
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:9336
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:9368
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9408
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:9456
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9476
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9496
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10072
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9512
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:9544
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:9588
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9632
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:9656
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9692
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9720
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10488
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9728
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:9756
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:9780
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9816
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:9856
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9900
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9916
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10672
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9936
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:9948
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:9972
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10020
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:10064
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10112
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10136
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10892
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10152
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:10168
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:10180
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10228
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:1640
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9528
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7260
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11068
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7436
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:9928
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:7616
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7788
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:10284
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10324
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10356
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8580
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10384
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:10396
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:10408
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10460
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:10516
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10532
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10564
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11276
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10596
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:10608
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:10632
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10656
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:10712
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10732
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10760
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11476
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10780
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:10804
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:10816
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10860
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:10900
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10924
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10944
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11672
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10992
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:11012
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:11024
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11048
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:11104
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11120
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11144
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11960
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11184
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:11196
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:11224
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11244
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:10344
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10472
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10420
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:12068
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6588
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:9348
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:3536
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10776
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:8696
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11308
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11344
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:1424
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11356
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:11396
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:11428
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11456
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:11488
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11504
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11548
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9296
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11580
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:11604
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:11612
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11652
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:11684
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11700
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11724
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:12316
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11780
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:11812
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:11820
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11860
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:11876
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11936
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11968
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:12480
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:12000
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:12016
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:12040
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:12088
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:12108
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:12120
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:12156
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:12744
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:12216
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:12240
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:12248
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:12280
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:11408
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3588
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3824
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:12944
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11644
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:10016
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  PID:7688
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3928
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:12080
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6220
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6708
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:13108
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5400
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:7152
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:12292
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:12324
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:12340
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:12368
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:12404
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8068
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:12440
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:12488
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:12508
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:12568
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:12628
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:12644
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:12652
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:892
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:12664
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:12684
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:12700
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:12720
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:12768
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:12800
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:12848
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:13316
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:12888
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:12896
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:12920
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:12952
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:12996
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:13032
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:13048
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:13500
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:13072
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:13088
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:13124
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:13144
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:13164
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:13188
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:13208
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:13244
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:13268
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:7472
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3508
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:3160
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5052
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11260
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8980
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:12520
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:13056
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10564
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:7376
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7572
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10948
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11948
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:12076
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:13328
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:13372
- C:\Windows\system32\calc.exe
  calc
  2⤵
  PID:13392
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:13408
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:13440
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:13448
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:13476
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  PID:13508
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:13528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD

Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
memory/792-64-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/792-65-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/876-90-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/876-70-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/928-85-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/928-81-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/1172-58-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/1172-61-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1248-98-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1248-92-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/1380-57-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/1380-60-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1500-69-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1500-89-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1740-63-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/1740-59-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/1748-62-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1748-56-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/1944-94-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1944-74-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1952-91-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1952-71-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2008-77-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2008-95-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2132-68-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/2132-66-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2228-100-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2228-80-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2236-86-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2236-83-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2236-112-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2308-72-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2308-67-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2412-84-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/2412-106-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/2496-75-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2496-73-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2640-88-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2640-115-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2720-102-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2724-76-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2724-99-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2724-79-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2800-119-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2800-87-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2800-93-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2808-97-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2876-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2876-101-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2876-78-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2956-96-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/2956-103-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3020-104-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/3204-105-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3276-107-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3348-108-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3432-109-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3540-110-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3604-117-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3684-111-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3784-113-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/3908-114-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/4052-116-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download
memory/4212-118-0x000007FEFB520000-0x000007FEFB56C000-memory.dmp

Filesize
304KB

Download