36f9c99c0b529fe4d180a8d302547184637038e5b2fa0f87ffea1edc09f4d9b7

Analysis

max time kernel
63s
max time network
70s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sussy.ps1
Size

844B
MD5

f145edd46c26125876a178d2c9971c6b
SHA1

b45f348082d56972a0581806614a48a3077adf9a
SHA256

36f9c99c0b529fe4d180a8d302547184637038e5b2fa0f87ffea1edc09f4d9b7
SHA512

6e3ab34b3444f5bdace1f38ed2862765c342ea39afdb9dd6b188f385f76548858f09ee43c31dc2c433a5ab73d197514c86f963db13890a3f31427134e2341fc9

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sussy.ps1	powershell.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	mspaint.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3044	mspaint.exe
2960	mspaint.exe
2612	mspaint.exe
2716	mspaint.exe
2960	mspaint.exe
2716	mspaint.exe
2696	mspaint.exe
2960	mspaint.exe
2960	mspaint.exe
2716	mspaint.exe
2716	mspaint.exe
2696	mspaint.exe
2696	mspaint.exe
2696	mspaint.exe
2612	mspaint.exe
2612	mspaint.exe
2612	mspaint.exe
3044	mspaint.exe
3044	mspaint.exe
3044	mspaint.exe
2892	mspaint.exe
2892	mspaint.exe
2892	mspaint.exe
2892	mspaint.exe
1592	mspaint.exe
1592	mspaint.exe
1592	mspaint.exe
1592	mspaint.exe
2232	mspaint.exe
2232	mspaint.exe
2232	mspaint.exe
2232	mspaint.exe
1412	mspaint.exe
1412	mspaint.exe
1412	mspaint.exe
1412	mspaint.exe
2364	mspaint.exe
2364	mspaint.exe
2364	mspaint.exe
2364	mspaint.exe
1400	mspaint.exe
1400	mspaint.exe
1400	mspaint.exe
1400	mspaint.exe
2356	mspaint.exe
2356	mspaint.exe
2356	mspaint.exe
2356	mspaint.exe
2044	mspaint.exe
2044	mspaint.exe
2044	mspaint.exe
2044	mspaint.exe
2672	mspaint.exe
2672	mspaint.exe
2672	mspaint.exe
2672	mspaint.exe
272	mspaint.exe
272	mspaint.exe
272	mspaint.exe
272	mspaint.exe
2080	mspaint.exe
2080	mspaint.exe
2080	mspaint.exe
2080	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2500	2216	powershell.exe	29
PID 2216 wrote to memory of 2500	2216	powershell.exe	29
PID 2216 wrote to memory of 2500	2216	powershell.exe	29
PID 2216 wrote to memory of 3044	2216	powershell.exe	30
PID 2216 wrote to memory of 3044	2216	powershell.exe	30
PID 2216 wrote to memory of 3044	2216	powershell.exe	30
PID 2216 wrote to memory of 1716	2216	powershell.exe	31
PID 2216 wrote to memory of 1716	2216	powershell.exe	31
PID 2216 wrote to memory of 1716	2216	powershell.exe	31
PID 2216 wrote to memory of 2960	2216	powershell.exe	32
PID 2216 wrote to memory of 2960	2216	powershell.exe	32
PID 2216 wrote to memory of 2960	2216	powershell.exe	32
PID 2216 wrote to memory of 2544	2216	powershell.exe	33
PID 2216 wrote to memory of 2544	2216	powershell.exe	33
PID 2216 wrote to memory of 2544	2216	powershell.exe	33
PID 2216 wrote to memory of 2612	2216	powershell.exe	34
PID 2216 wrote to memory of 2612	2216	powershell.exe	34
PID 2216 wrote to memory of 2612	2216	powershell.exe	34
PID 2216 wrote to memory of 2968	2216	powershell.exe	36
PID 2216 wrote to memory of 2968	2216	powershell.exe	36
PID 2216 wrote to memory of 2968	2216	powershell.exe	36
PID 2216 wrote to memory of 2716	2216	powershell.exe	37
PID 2216 wrote to memory of 2716	2216	powershell.exe	37
PID 2216 wrote to memory of 2716	2216	powershell.exe	37
PID 2216 wrote to memory of 2928	2216	powershell.exe	38
PID 2216 wrote to memory of 2928	2216	powershell.exe	38
PID 2216 wrote to memory of 2928	2216	powershell.exe	38
PID 2216 wrote to memory of 2696	2216	powershell.exe	39
PID 2216 wrote to memory of 2696	2216	powershell.exe	39
PID 2216 wrote to memory of 2696	2216	powershell.exe	39
PID 2216 wrote to memory of 2888	2216	powershell.exe	40
PID 2216 wrote to memory of 2888	2216	powershell.exe	40
PID 2216 wrote to memory of 2888	2216	powershell.exe	40
PID 2216 wrote to memory of 2892	2216	powershell.exe	41
PID 2216 wrote to memory of 2892	2216	powershell.exe	41
PID 2216 wrote to memory of 2892	2216	powershell.exe	41
PID 2216 wrote to memory of 2432	2216	powershell.exe	42
PID 2216 wrote to memory of 2432	2216	powershell.exe	42
PID 2216 wrote to memory of 2432	2216	powershell.exe	42
PID 2216 wrote to memory of 1592	2216	powershell.exe	43
PID 2216 wrote to memory of 1592	2216	powershell.exe	43
PID 2216 wrote to memory of 1592	2216	powershell.exe	43
PID 2216 wrote to memory of 616	2216	powershell.exe	44
PID 2216 wrote to memory of 616	2216	powershell.exe	44
PID 2216 wrote to memory of 616	2216	powershell.exe	44
PID 2216 wrote to memory of 2232	2216	powershell.exe	45
PID 2216 wrote to memory of 2232	2216	powershell.exe	45
PID 2216 wrote to memory of 2232	2216	powershell.exe	45
PID 2216 wrote to memory of 2008	2216	powershell.exe	46
PID 2216 wrote to memory of 2008	2216	powershell.exe	46
PID 2216 wrote to memory of 2008	2216	powershell.exe	46
PID 2216 wrote to memory of 1412	2216	powershell.exe	47
PID 2216 wrote to memory of 1412	2216	powershell.exe	47
PID 2216 wrote to memory of 1412	2216	powershell.exe	47
PID 2216 wrote to memory of 1488	2216	powershell.exe	48
PID 2216 wrote to memory of 1488	2216	powershell.exe	48
PID 2216 wrote to memory of 1488	2216	powershell.exe	48
PID 2216 wrote to memory of 2364	2216	powershell.exe	49
PID 2216 wrote to memory of 2364	2216	powershell.exe	49
PID 2216 wrote to memory of 2364	2216	powershell.exe	49
PID 2216 wrote to memory of 2152	2216	powershell.exe	50
PID 2216 wrote to memory of 2152	2216	powershell.exe	50
PID 2216 wrote to memory of 2152	2216	powershell.exe	50
PID 2216 wrote to memory of 1400	2216	powershell.exe	51

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sussy.ps1
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2500
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3044
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1716
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2960
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2544
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2968
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2716
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2928
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2888
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2432
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1592
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:616
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2008
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1412
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1488
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2364
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2152
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1400
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:280
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1072
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2732
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1384
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:272
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2096
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2080
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1284
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2512
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1792
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:1344
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2144
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2768
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1944
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:816
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:748
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:1268
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:332
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:1720
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1724
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:884
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2384
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2860
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1016
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:1492
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:868
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:860
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2936
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2848
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2944
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:992
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3056
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2528
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:300
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:1620
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1600
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:1176
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2708
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2440
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2448
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2480
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1288
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2616
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2256
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:576
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:604
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2240
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2996
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2916
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2024
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2032
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1036
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2972
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2644
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:560
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3132
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3140
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3176
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3188
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3236
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3244
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3268
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3276
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3324
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3340
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3364
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3380
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3412
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3428
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3496
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3504
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3536
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3548
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3568
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3588
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3624
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3632
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3668
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3676
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3708
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3716
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3744
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3752
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3768
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3776
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3812
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3824
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3868
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3876
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3888
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3896
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3920
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3928
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3964
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3972
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3988
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3996
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4004
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4012
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4048
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4056
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4080
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4088
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3100
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3108
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4100
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4116
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4164
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4172
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4196
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4204
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4280
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4288
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4328
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4336
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4364
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4372
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4412
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:4420
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4452
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4460
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4532
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4540
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4556
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4564
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4580
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4588
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4596
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4604
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4612
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4620
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4644
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4652
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4668
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4676
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4684
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4692
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4700
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4708
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4792
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4800
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4808
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4816
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4828
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4836
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4844
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4852
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4860
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4868
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4876
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4884
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4892
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4900
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4908
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4916
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4924
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4932
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4940
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4948
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4956
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4964
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4972
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4980
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4988
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4996
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5004
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5012
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5020
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5028
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5036
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5044
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5052
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5060
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5068
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5076
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5084
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5092
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5100
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5108
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4240
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4464
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4456
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4480
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4536
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4448
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4472
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4528
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4420
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4540
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4560
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4568
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4564
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4412
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4580
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4588
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4596
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4604
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4616
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4620
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4628
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4636
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4428
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4436
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4640
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4372
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4652
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4368
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4648
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4680
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4672
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4688
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4696
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4704
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4712
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4804
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4796
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4820
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4812
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4832
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4840
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4848
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4856
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4864
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4880
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4892
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4900
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4908
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4928
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4952
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4956
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4964
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4996
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4988
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5028
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5020
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5052
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5068
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5096
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5104
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3400
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4396
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4744
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4480
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4552
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4328
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4420
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4540
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4564
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4592
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4624
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4632
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4440
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4388
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4372
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4640
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4648
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4680
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4704
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4696
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4820
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4812
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4864
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4356
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4292
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4880
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4920
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4912
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4288
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4280
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4916
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4936
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4308
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4304
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4952
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4196
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4224
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4176
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4956
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4964
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4184
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4120
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4116
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5016
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4988
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4100
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4996
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4148
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4140
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3112
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3104
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5024
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4108
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4112
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4132
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5060
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3488
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5076
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3480
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4072
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4008
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:5092
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5104
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3256
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3992
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3448
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3160
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3972
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3968
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4044
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3932
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3928
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3916
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3900
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4744
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:4456
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3888
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3956
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3912
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3880
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4328
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3868
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3844
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3828
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4472
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3800

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:4264

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:4628

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/272-56-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/272-57-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/816-66-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/816-67-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1268-68-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/1344-62-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/1344-63-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/1400-46-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1400-44-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/1412-36-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/1412-40-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/1592-27-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/1592-30-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2044-51-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2044-53-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2080-59-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2080-58-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2216-25-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2216-4-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2216-11-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-26-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-28-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-10-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-29-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-9-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-31-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-7-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-5-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-33-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2216-8-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-52-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2232-34-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2232-32-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2356-49-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2356-48-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2364-41-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2364-42-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2512-60-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2512-61-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2612-39-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2612-14-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2612-20-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2672-54-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2672-55-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2696-38-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2696-21-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2696-19-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2696-45-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2716-35-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2716-13-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2716-17-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2716-43-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2768-64-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2768-65-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2892-24-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2892-23-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2892-47-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2960-18-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2960-15-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/2960-37-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/3044-22-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download
memory/3044-50-0x000007FEF2080000-0x000007FEF20CC000-memory.dmp

Filesize
304KB

Download