398984b3f83181088396b031a5c80dcc486ad12c278a3b846a424654798fa3ad

Analysis

max time kernel
3s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 00:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

P4rr0tCr4sh3r_V1.exe
Size

139KB
MD5

b0e20c5a66c9ea6a84af3297c43e0ab6
SHA1

2aef2f78d20bb83f623f9af561db6b764a3ccaf2
SHA256

398984b3f83181088396b031a5c80dcc486ad12c278a3b846a424654798fa3ad
SHA512

fc68923e099d5ab15ecf0531b110d905a71ab60e11c6df0d02e23e7d7054177680f00a39ee7b223377855005b6a917cc3cc40877b3c453d4140c63ec7bf2e45c
SSDEEP

1536:agyJWH4azSaXtJ+WVkADPQHQBK8JEOROwHX9rdvrqLy:agWWB+gkArQHO1OcrxUy

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1952	mspaint.exe
1952	mspaint.exe
3936	mspaint.exe
3936	mspaint.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1960	shutdown.exe
Token: SeRemoteShutdownPrivilege	1960	shutdown.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1952	mspaint.exe
3936	mspaint.exe
5020	wordpad.exe
1952	mspaint.exe
5020	wordpad.exe
5020	wordpad.exe
3936	mspaint.exe
3936	mspaint.exe
3936	mspaint.exe
1952	mspaint.exe
1952	mspaint.exe
5020	wordpad.exe
5020	wordpad.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1436	2164	P4rr0tCr4sh3r_V1.exe	87
PID 2164 wrote to memory of 1436	2164	P4rr0tCr4sh3r_V1.exe	87
PID 1436 wrote to memory of 1960	1436	cmd.exe	88
PID 1436 wrote to memory of 1960	1436	cmd.exe	88
PID 1436 wrote to memory of 3260	1436	cmd.exe	90
PID 1436 wrote to memory of 3260	1436	cmd.exe	90
PID 1436 wrote to memory of 1952	1436	cmd.exe	91
PID 1436 wrote to memory of 1952	1436	cmd.exe	91
PID 1436 wrote to memory of 1512	1436	cmd.exe	93
PID 1436 wrote to memory of 1512	1436	cmd.exe	93
PID 1436 wrote to memory of 1828	1436	cmd.exe	94
PID 1436 wrote to memory of 1828	1436	cmd.exe	94
PID 1436 wrote to memory of 4608	1436	cmd.exe	95
PID 1436 wrote to memory of 4608	1436	cmd.exe	95
PID 1436 wrote to memory of 4464	1436	cmd.exe	96
PID 1436 wrote to memory of 4464	1436	cmd.exe	96
PID 1436 wrote to memory of 4312	1436	cmd.exe	97
PID 1436 wrote to memory of 4312	1436	cmd.exe	97
PID 1436 wrote to memory of 3484	1436	cmd.exe	100
PID 1436 wrote to memory of 3484	1436	cmd.exe	100
PID 1436 wrote to memory of 3936	1436	cmd.exe	98
PID 1436 wrote to memory of 3936	1436	cmd.exe	98
PID 1436 wrote to memory of 3060	1436	cmd.exe	102
PID 1436 wrote to memory of 3060	1436	cmd.exe	102
PID 4464 wrote to memory of 5020	4464	notepad.exe	104
PID 4464 wrote to memory of 5020	4464	notepad.exe	104
PID 1436 wrote to memory of 2916	1436	cmd.exe	219
PID 1436 wrote to memory of 2916	1436	cmd.exe	219
PID 1436 wrote to memory of 1832	1436	cmd.exe	110
PID 1436 wrote to memory of 1832	1436	cmd.exe	110
PID 1436 wrote to memory of 5008	1436	cmd.exe	111
PID 1436 wrote to memory of 5008	1436	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\P4rr0tCr4sh3r_V1.exe
"C:\Users\Admin\AppData\Local\Temp\P4rr0tCr4sh3r_V1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\694E.tmp\P4rr0tCr4sh3r.bat" "C:\Users\Admin\AppData\Local\Temp\P4rr0tCr4sh3r_V1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\system32\shutdown.exe
    shutdown.exe -s -t 60 -c "You have been crashed by P4rr0tCr4sh3r, say goodbye to your pc in the next 1 min :D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3260
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1512
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1828
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:4608
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:4464
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5020
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4312
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3936
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3484
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3060
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2916
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1832
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:5008
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4396
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4920
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4736
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3016
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3244
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4596
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:2684
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:4224
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:396
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:1740
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:836
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:952
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3856
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2008
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:3300
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:4452
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:1580
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4964
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2772
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4104
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3188
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2908
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:4972
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:3184
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5216
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4368
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5288
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5376
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5444
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5464
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5456
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:5560
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5640
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5580
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5684
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5716
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5744
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5776
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5928
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5920
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:5912
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6060
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5900
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6084
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6108
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:664
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1004
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:5224
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5616
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:2296
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5156
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3564
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4868
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4920
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1228
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1648
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:1720
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:2080
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5876
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1128
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3452
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5968
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1188
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:4108
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5548
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5364
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3628
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5492
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5488
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2680
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4240
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:5328
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:1088
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5712
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1188
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3988
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4576
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5560
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:4372
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:2980
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5944
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5416
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2916
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4040
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2824
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6256
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6308
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:6320
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6452
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6400
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6520
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6580
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6588
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6680
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6704
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:6772
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6916
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6808
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6796
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6788
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6956
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7032
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7056
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:7084
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6124
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4684
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3872
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5756
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5348
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5916
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5996
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:5148
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:1520
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6320
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6240
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3740
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6340
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6244
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6968
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6692
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:6724
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:2900
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6908
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7156
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7108
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4372
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5676
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:3552
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6300
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5936
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7112
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6320
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:6476
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6408
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6444
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5132
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7076
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7040
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6104
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5208
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1720
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4304
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6436
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:3556
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:7248
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5256
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6476
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7280
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7292
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7336
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7320
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:7428
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:7604
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7476
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7468
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7460
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7584
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7688
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7736
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:7784
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:8004
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7808
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7828
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7856
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7848
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7840
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8016
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8116
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:7464
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8152
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6684
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5712
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4584
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6264
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:7864
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4984
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7344
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8332
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8396
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8360
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8448
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8512
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8440
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8432
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8424
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:8900
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8352
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8344
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8596
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8752
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8908
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9072
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9028
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9152
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9192
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6188
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7928
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8108
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9056
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8372
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7696
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1704
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7092
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8088
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8808
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9004
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:7992
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:8392
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8312
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7928
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7696
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3124
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6396
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7636
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:7672
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10168
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9340
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9532
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9332
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9324
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:9316
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10824
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9308
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9300
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9292
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9284
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10144
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9276
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9268
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:9260
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10736
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9252
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9244
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9236
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:10416
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9228
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9220
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7996
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:7932
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10668
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8732
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7320
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8488
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8864
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8720
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8984
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8964
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8896
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8628
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8800
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8840
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8844
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8792
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8656
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8804
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8820
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8680
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8400
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6732
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8080
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:10716
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:11016
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:10948
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:11120
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11136
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:11260
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7992
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8928
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8964
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:2644
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8092
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8396
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8804
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10284
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:10032
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:9768
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10552
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7932
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10080
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9468
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10208
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9828
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10436
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9404
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:10848
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:11228
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9856
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10572
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8984
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7812
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10616
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:10236
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9460
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:10136
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9248
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10004
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10716
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10884
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8948
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8792
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:10592
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9800
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:10236
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:11236
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10760
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10548
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10192
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9900
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10864
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:11436
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10696
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9928
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:9884
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:12424
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9760
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10592
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8056
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8984
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9752
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4568
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:2544
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:12228
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9624
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9324
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10472
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9700
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10400
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:3252
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8732
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:11192
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9396
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10960
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10340
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11012
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10968
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:11000
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:8416
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:12068
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9612
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:11216
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7720
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10216
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10788
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:12052
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9104
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:12100
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:12564
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12164
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:12156
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:12144
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:10800
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:12416
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:10608
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9960
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10676
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9896
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9032
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:10684
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:9788
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:8076
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:10732
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:12240
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:12232
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:11728
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:9440
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:12732
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:12672
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:13120
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11788
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4876
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:12144
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1200
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:4520
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:10576
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:12504
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9040
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:13044
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1292
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:2312
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:12332
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:12676
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:13048
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10436
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:12348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies registry class
PID:3624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4296

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9620

C:\Program Files\Windows NT\Accessories\wordpad.exe
"C:\Program Files\Windows NT\Accessories\wordpad.exe"
1⤵
PID:10560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10604

C:\Program Files\Windows NT\Accessories\wordpad.exe
"C:\Program Files\Windows NT\Accessories\wordpad.exe"
1⤵
PID:10532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13108

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ef055 /state1:0x41c64e6d
1⤵
PID:13136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:3468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:2888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:5988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:10540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:11332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:11216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:9624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:9760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:13200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:13292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
- Modifies registry class
PID:4312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:13076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:9724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:10044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:11524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:11428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:9260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:9548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:12000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:9596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\694E.tmp\P4rr0tCr4sh3r.bat

Filesize
253B

MD5
690b14eb0768a65feb6b5b20a73fa0ba

SHA1
8a0f9bde36eb729a701041a84d3cacdc36b10185

SHA256
613219bfb9e8d14af0ff1a036000037370505d2d1c0a567e4119b04de96be15f

SHA512
e998df8ea65aa6c05fd96584c8d4d1e26e7805b9833c38ed7bc1c15ef1f08e9239489aee5ac23ea24f75dd688ab5ab0600e2420fc4a9aec0e36590cc59ce8270

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
8a6e1a1aedbdfa39912fad71f9eb354c

SHA1
cc22653a7b6c75dbc1c4b2de5d76b0861ea8cdef

SHA256
7f3b937a1d65c4a2e7fd9ceb088906246b36a215ce5ee0a7121d7dc889dfe7d7

SHA512
586d0316d07e005e368304ef91c9db6800c8188fd4f66dfc46a512a3def26a6d5431be633073c003063f27de1c09cd96b06352c277644fcacfecb3722661c284

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
39d05a628f7778ed92f73d7ace53a218

SHA1
26012f8f3aae86a0d6fe5f906456733a3b301a82

SHA256
710cd1247432073d608634832f4849a4493c7d68dc6ae8ae053064b3944085f3

SHA512
64a9a1713fd28e291e738cccf54dbdbfe4b77ad23babbf21ee0fc762dbe32da05c9004cfc0bff55dc0bffa812c2e390e0acb01616d6702ea8c6ac73ea523d6c3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
2ad5906821e0334bbf85a19f00f81ae7

SHA1
676d575dbe1ea386f21a068e1e30b55af6939f75

SHA256
f5768cd1cde0d668d9145dffc3181bbebc1ccb69d537c0b1476cb6d93047f7a4

SHA512
a31cbbad50016debd5510147825bdedbcd64e9eda0a69825542b38cebae685dd7478f84e23602c231d5f5c436149bd99fe0625591989ea2d9aa9880d33a232f7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
6bfa62a9f7db67d12c8d72dc9e66dcf2

SHA1
c2f621a4e8a4a838483e4786b55ff66853bafc1c

SHA256
dc8f17189dac6615c07cdad8646b050ac9b59a99015cc52a3e777124dea16249

SHA512
7c62227adc21f92e7936c2149212b708336f5b78e5d181e299a546f4579a97b3a582160e3cd439be42869c9307dfde74f84b95f92e22e112c8f6271252105931

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
96945c52b4729a15328c7e2acbc1d550

SHA1
f18a1c136a24b6a339af907e19af3bff0fec29bf

SHA256
9f4db262972dcd7af72c21c26718f635a40d7e7f651be97c12b002fa68367dd5

SHA512
73286433e2df5b9caad3e92e7f53ffbd46b572d4daf278d9b1a00071b5ae5e4c975e62d4e3bfda0f589a80d37169192addc7dee977a7f25c8725e67c83879dcb

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
806bee853af623af046828c2a1182e1b

SHA1
cdce7d8cdb2366013dfbc5164bd88906a279ebdb

SHA256
1e80e2b2042e86b8d7c8fd47c217f60da71b063adad8b9b1c617a19a75fd1d90

SHA512
9532f1bc43d4a1a2a8a431f947f3cba6b5915471d5c65b999701451750d55e2cc9a4da4a20a6dacb9d5fe865f856b1677ecd94dc9f7c39f9b02eb19dd03bc281

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
60646ceffb58472feaa2c4d552fdb5f7

SHA1
11445e8339cff691fbe732f1311a0a0cb39b1105

SHA256
e6b5c6225adedf47cdaa648150cb0c9366a5f5f221ffb410942843df7b7f65bc

SHA512
44aa45ae0a9e3bfce8e63ec20791a627d0d364af39d4df08b692ae2b9b2c313b621e5e1bce9da95de4992de1b90b60e41b410359d2ebd7cd3a1d3faeeee8a1b7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
48ed520f88fdd5dcd2f8a064326cb5e9

SHA1
5b434ada24ba85694bfa45004804661b8faa8f6d

SHA256
595e2fb3c3bfc9f7f7ce8c713c7ab3950d4b14846ba52b1369bbe9f5fb98a16f

SHA512
63fba95a5baaa4a3ff3d4ac556503ebd0b76e9f87d7e04a9c4e41c0cbf6c7b9fdddc0b9366236c1e3cfa6d90b80d712b01c97cb6d95b1a644ae4a15e16eee497

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
184d9dd6a871e74f3bd1b1835b93c51b

SHA1
4c7414c36549cf2c3010c20403b9f00ac3fececa

SHA256
2caaf7e58841b0ef4d3016700bc18e32b63040cffa380c1970644192b730844e

SHA512
df2150249e52adcb3652c6ef7da28822120ec961c574a7d68e1643c0434d7ec86aecec4953432aab4deed63620715a20c46bc6b157692a516f92e27ee6813f3f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
16KB

MD5
ef9219a6fa2165552c8f8050d0b94e03

SHA1
4ae5f58528436af586b7752ac09b7d332cab7df9

SHA256
c4e0dbf4363bb38b51b5b1231412cfdc8abaa7d64ec5948f14a601ddf4306d82

SHA512
d376b1dcfa5553a9ffb7902c5ef5f8200366e44e394ac243a0c0534b5b56369734c13d8e98a88c24b52062132235462387121a6ce39e144f2cd8d3aeb059607e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
03287bc1885f98096270a9353dcd5121

SHA1
9bb1cfb30be183a93c9c57dcf25ddb31a30adff1

SHA256
c78012574964cccdbd2ef916b1e258684723cf284b753b65df6fb079f91b083e

SHA512
ac57e08e3cd760a06c0d32284f7fd55b24877153d858f17d2925ccf24c469c83a03f74758e22665a851b7dc1eceea67b81474ccbeddcaa79250b73be42c3af60

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
19KB

MD5
b56a1a5c77f96580cb77f081dab9e7eb

SHA1
e35d0474baf74ece88938f022941d3084ad03471

SHA256
85da0af1207dce8728ce169a242a96a9e27c234c7d6a1b3a94d57fa7260b6ff5

SHA512
5d91a18b574fe0fc179b2b67baf74dd5b6c8cccc8d631f7d3e6832c2525dbeefeb4444cc8c226b020dc7adda9c6487c8f4bd09f75c3a4c01fe7d8e461540d25a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
6daaee874050dfdf7415b9b8d31b1c8e

SHA1
92952589cd13810ca674e9bd0c6a2108fe5514a1

SHA256
c88e81a27466060464c866c131239988bc1e0c202195a1ba491795f0873622e2

SHA512
5f3b1d8be5c76caa6ef1e63db29946a6f16e649e05f899b4d25fe0f3e3798f5fc4b6f3e6bb94e26811430735674a232e4bee5886e563fe025f40e63c2d7042ea

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
22KB

MD5
989a31479615793e57614400d04c8c52

SHA1
916a67fd043fa5ec0ed2acc70477fe526ba98837

SHA256
5e3cb7db9434c4d66bfb176cb828308f25947f71fa7ee4c1f73452d42b156a2c

SHA512
8ed7016dd50b512071447a20db74d042e181f7038425db35c9bbe7f2386a9a453924690bfc4fd4d9be9c411b7daf464038a0f10ba598425f2ab96b3da5b4256e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
c4f52c5c0d578ff303a48eaf01cd1d1b

SHA1
fd07cf1f1969d5b7056840aac7aa085e32aa40c2

SHA256
b84f78c311a51247d3fb7a7148a781ad7de957080109a0928f774daa69c97543

SHA512
4087815ddbe7ba59a45f1d1d787869010fb24cf20a573c912832bf6e4c3a0d71125ff837413e9e09280f2b028e6ec4109a36332b08063fe41466681fcf232503

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
3cc627b076b586365d8ca4c92a072fe8

SHA1
f119ba19ce6cb040392a2779e8dd6873b6b2f68e

SHA256
b633bfa5e2adcf4e08ea881161a052f286bf27bf2c39a308298dfff1c8877c59

SHA512
611929fdbfec76f151179a4a3504db562cabb9f8767c206ccdff418c030d6d7266d80e12678ef41319cb7357777139303c2b605a4c3c78dc2aba7d19c00995aa

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
a2332c37edf5b3455f9485812f70d067

SHA1
53699a8ad420b2bfb4996e61040ca005ab5f1dfc

SHA256
aadf0b8490e6661c5cefdac61445e5343b404552a3c2f7447b28ff16702da4d2

SHA512
71657f5789fcad3a7372e8e668de1cf160486d97f76ae9be8bd7161d01bb8cbd3e157262bcdbd4d370973a3012eec1979bd7245396350a5f722c978569bb2587

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
e4c358a82fbf048d29f88c4f3564527f

SHA1
8d4ee5dca7d685086ea04f93c6800994f46574e0

SHA256
2cb684d806a6d1f38b7132586a83601127177ed4dec021a89c53f98e25c216a5

SHA512
85c31b1107d80cbe673ae2089d7b5a6ec52939c5c5b62052d17328d3fa9d0f5cea3f49a60d09f7f07409eebdec661c1d7b66304646dc18a7c9c677ca6fa55824

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
31KB

MD5
88b62b4cea778478ede980c6064a9b63

SHA1
06c59d7e3a540429294ce4d8d6d4096aa8ea96d9

SHA256
21f399654064f8792593dbbaf80eeef3c061d98434ff6d5eda5f7767b8fe53e9

SHA512
6eb112ad35419d9e7435d7ef4bdd6a65f2f5439b4cb7e7f3a29a991d5b08f251b528cf65de2eb177e3a3726c23a183e940a51418b2a011967098be825bbe7585

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
3105b00e59e63a706ab3a28bebebf247

SHA1
7d207c9a2c0576aa99574fee6ea607678cb97103

SHA256
2073e938ac64b47f2a62ae5d1922e0f822fcb99346a4f9e9e6ae7671d465057f

SHA512
b1eb3c195ef3431e3a82de8b2f7522c6ab6b015d1c394102b5b45f06c7a53dcf18eda85c8efc15defba5f557a16e6bd37384ee7399beab7838a8d19fec667689

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
35KB

MD5
b9fb81792c7a1c0dfd9e56b861a7cd79

SHA1
fa61b8fd9eb318c1c583d49793232fc5874a1d2a

SHA256
f778ea370db33cd1afae2eda17189a39024be8928e82e63cc35b9d62fb6c50be

SHA512
0bd6dc9498a45d51f742280f59d9ee5d6681d7b04f75f53091907b812d8057b518d6280d723c2adbd28bc6bce76519f246d315dbdd14d174b883847135a8c34b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
6c70dca7a2a27e3b2e79ab3f0c159666

SHA1
2de612a1adc07645e18b63a14df83d1b686e1737

SHA256
c38e47ae88f16ad0b15482e0b9a921a6d034d427eac2dd53407db42d2f4ae4ca

SHA512
2bbde9770e2e19d5c287e00bc6cdec494a25aa9cac8034ed990f2383bdd85901ccf05e76c9625c5694c6bde93cb38054620e806544a1bd090d4dbf6888b5dc3f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
39KB

MD5
50b2fa2c983152ea88b726ad916fb007

SHA1
f7eed36aa089731e8fccdc570fc571f2a21f72ec

SHA256
01ec02e279ea9d633e9357d9d4f5cf252f8b8b52aea8f174f78f04fd50b6e46a

SHA512
12c4507910d77b79870489706eaf5c5cd8b8c2f1edf714360e2caacc430cf7687fd7178c4753487982e781eefa3f57a31d69a93a402a54021bfeb54f6d7067ee

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
41KB

MD5
51a00719f391b4208e0bd31e2e3ce3c3

SHA1
f5f12a016625f19230b0754fd26aee8549e5c8f2

SHA256
29bdf9762b78f9ef4dc9def73154f43af70188d9c4d5e9929c68fe5bfe427c74

SHA512
9d91fe28ba1c971c0122fe5352349bb00aed412e5cfbb43e68bcc7481ba8cbd84819bd5ce3003e3d701ecab60af8655c2a752509c764f76eef2ab51e19ac4489

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
e896be1a956717d191882ee6eb402789

SHA1
87ab7edb898187d11d08e157ea05e383f165ca8c

SHA256
cf5e47485e08e8d8528f3f0d268cdb3ff1a33aeed2260b5ab6e3f148ef8898b1

SHA512
afee8347107021001f0867d2feeda46939746c194d2ed7d359ea5f63838f75d4373cfe271494aaaaf1236ed8fb71651c6df10e2c1dec347cfab04e0f1129e12c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
44KB

MD5
aa7585f07433c8fb61e60a319932913b

SHA1
7cbcb0198996ece60b151dffcad8cb039ef1e814

SHA256
a3bf05b88ac4459735bad22df167b1418577b7bbce82b593de2f20d88fe04004

SHA512
b6a0c6989d0c239b1d2ec08163f53e085f10c732f61bbd45e3ce606ead27eb10fa31f1930f81ead8db40ef2ac32b3fdb3cdccc7a52862a28c92b79811f48f089

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
47KB

MD5
59eb67c57876fc5adce88761aecba2a6

SHA1
179876864d2a0345ce4bcb1e5ecb695e9bcc5a14

SHA256
84ec08987355aff3f1694c5a617e4583a7962722836db74411ba6d21761bf09b

SHA512
faaed89ef9558e33fcd5ff21e1c783349be9265b4bb5f0bf59ebba39204e58b170837ae69f6403b8b1d250ac5ab2dec318b6c7f001fdb10937468023b9e1549b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
47KB

MD5
59eb67c57876fc5adce88761aecba2a6

SHA1
179876864d2a0345ce4bcb1e5ecb695e9bcc5a14

SHA256
84ec08987355aff3f1694c5a617e4583a7962722836db74411ba6d21761bf09b

SHA512
faaed89ef9558e33fcd5ff21e1c783349be9265b4bb5f0bf59ebba39204e58b170837ae69f6403b8b1d250ac5ab2dec318b6c7f001fdb10937468023b9e1549b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
53KB

MD5
8987b28d834e2d9c1d001860d6a8fc76

SHA1
4752f48b65b170ebcefc9fe50efde35e80fe75fd

SHA256
ebb382d27db5ad5d5ec7f68b4070a42b41235b3389a50977850c8dc2b3399225

SHA512
11402f56a66e751cba40e5d685c49336874fba5da65e4da02c9699129b9a65456b0f9d47606bfcf3c41d46b98c6003db417dbc9cb212e54b05b628f1c5a32b2f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
54KB

MD5
f2d2c84b8b3f87f6b128607255f272ca

SHA1
ffc902c592ca483cca41c40d581e683b1404bf12

SHA256
3ba4712862284a50b4db587ad9e74ed43acca8f5864a38a77dda5cca9191a3c4

SHA512
2287783c1eaf787a0f1ca2e8616971ae9dfcd517f8f7f8ce94410f8ce23acb3ba870e81325e9a9f996a8a407183335cf65420b6f9846adabc14dff7eb01cf211

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
57KB

MD5
fb4b7b92416a9ecbb3ba48fd33eced62

SHA1
e1086916e112213223453c4bbf8c544816b33caa

SHA256
be84481a5793a8fb5ebd1112adfc9a043e4486bfb5414ecfc5f35d3fe308ab7c

SHA512
aff67e37d04bf5e1d5d098dde4bab1c3026425be31fe1f3b94cfafba298ced796b10fe7c1565a74eb64104dd8a7487ca971a15931c480c935f3dd65c313403c1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
59KB

MD5
75949252e3a09cc3503b2a61954fd17d

SHA1
ec136ac894af621d072d2d12980e6391eb078351

SHA256
c2c51b8703c2ca419d0598f4f2fa0a421efed1a6af7b21c4b3d4d3565bdb7b9f

SHA512
00926e01c1e4af269509aa148a655bc03dbe6f3c3547c605ab42776a8c29b1c780db30c5be93f9edc1dafc2c82256e11d4094a278a6acc2c02234f18ffbfe281

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
61KB

MD5
b284c3f46558584e010ff7a05df3ffcf

SHA1
84241b10313bd56331f00d746b07ded0388d5bba

SHA256
c2b3096074a0e77089fa78cdbc4272f88769491213c5f014b1e1d916df6488aa

SHA512
b1254998de50cdaf6430f3acd2be737c0ebb448f516bb5b8f1ed4237f30807dc7ec720f0768f0130d92db499da71daa2c326ad251f428a5e94c7753d39752a5c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
62KB

MD5
97dc2363eff3ed1c78cc854fe20277e5

SHA1
5c1c843b4ccc1769c507c8aa9b841b42357a4399

SHA256
66e217bea40baee75ca6f91fe2d56dfc58f9036e3aa05461ae709cb318875b8b

SHA512
b3d5ac0ca136e9da081b158c942408e831b71c660a9c297e4b3bd28f5208aaed28692eaf4e6d991a8ac3f0f1575fd3e8fd5715744ae488adb0db936c603ddc56

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
aadbb4ae54e894b2782f99090f453031

SHA1
02402b09af009be8c4def83e9cd256792b0fd98b

SHA256
b641cff2c1c1f5bae7e6373999c56ff879c3c3ee1a0752ed34c28e8c2d344aa0

SHA512
c8f15eb1a3f8cfc9fa1165f6868a04e81314486bfc5963afd9ef441abd1ac8b5d141d4c05a40c0f85da2710b8348eb336c69d2317f536e868f3f69514d0fc535

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
aadbb4ae54e894b2782f99090f453031

SHA1
02402b09af009be8c4def83e9cd256792b0fd98b

SHA256
b641cff2c1c1f5bae7e6373999c56ff879c3c3ee1a0752ed34c28e8c2d344aa0

SHA512
c8f15eb1a3f8cfc9fa1165f6868a04e81314486bfc5963afd9ef441abd1ac8b5d141d4c05a40c0f85da2710b8348eb336c69d2317f536e868f3f69514d0fc535

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
aadbb4ae54e894b2782f99090f453031

SHA1
02402b09af009be8c4def83e9cd256792b0fd98b

SHA256
b641cff2c1c1f5bae7e6373999c56ff879c3c3ee1a0752ed34c28e8c2d344aa0

SHA512
c8f15eb1a3f8cfc9fa1165f6868a04e81314486bfc5963afd9ef441abd1ac8b5d141d4c05a40c0f85da2710b8348eb336c69d2317f536e868f3f69514d0fc535

Download Submit