36f9c99c0b529fe4d180a8d302547184637038e5b2fa0f87ffea1edc09f4d9b7

Analysis

max time kernel
30s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sussy.ps1
Size

844B
MD5

f145edd46c26125876a178d2c9971c6b
SHA1

b45f348082d56972a0581806614a48a3077adf9a
SHA256

36f9c99c0b529fe4d180a8d302547184637038e5b2fa0f87ffea1edc09f4d9b7
SHA512

6e3ab34b3444f5bdace1f38ed2862765c342ea39afdb9dd6b188f385f76548858f09ee43c31dc2c433a5ab73d197514c86f963db13890a3f31427134e2341fc9

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sussy.ps1	powershell.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3752	powershell.exe
3752	powershell.exe
1520	mspaint.exe
1520	mspaint.exe
4992	mspaint.exe
4992	mspaint.exe
4844	mspaint.exe
4844	mspaint.exe
3656	mspaint.exe
3656	mspaint.exe
2676	mspaint.exe
2676	mspaint.exe
1500	mspaint.exe
1500	mspaint.exe
2312	mspaint.exe
2312	mspaint.exe
1620	mspaint.exe
1620	mspaint.exe
4920	mspaint.exe
4920	mspaint.exe
3396	mspaint.exe
3396	mspaint.exe
4140	mspaint.exe
4140	mspaint.exe
5076	mspaint.exe
5076	mspaint.exe
2360	mspaint.exe
2360	mspaint.exe
4432	mspaint.exe
4432	mspaint.exe
3760	mspaint.exe
3760	mspaint.exe
4420	mspaint.exe
4420	mspaint.exe
2196	mspaint.exe
2196	mspaint.exe
3292	mspaint.exe
3292	mspaint.exe
3620	mspaint.exe
3620	mspaint.exe
5164	mspaint.exe
5164	mspaint.exe
5236	mspaint.exe
5236	mspaint.exe
5292	mspaint.exe
5292	mspaint.exe
5376	mspaint.exe
5376	mspaint.exe
5440	mspaint.exe
5440	mspaint.exe
5532	mspaint.exe
5532	mspaint.exe
5592	mspaint.exe
5592	mspaint.exe
5632	mspaint.exe
5632	mspaint.exe
5728	mspaint.exe
5728	mspaint.exe
5792	mspaint.exe
5792	mspaint.exe
5868	mspaint.exe
5868	mspaint.exe
5932	mspaint.exe
5932	mspaint.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	powershell.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1520	mspaint.exe
1520	mspaint.exe
1520	mspaint.exe
1520	mspaint.exe
4992	mspaint.exe
4844	mspaint.exe
3656	mspaint.exe
2676	mspaint.exe
3656	mspaint.exe
4992	mspaint.exe
3656	mspaint.exe
3656	mspaint.exe
4992	mspaint.exe
4992	mspaint.exe
4844	mspaint.exe
4844	mspaint.exe
4844	mspaint.exe
2676	mspaint.exe
2676	mspaint.exe
2676	mspaint.exe
1500	mspaint.exe
1500	mspaint.exe
1500	mspaint.exe
1500	mspaint.exe
2312	mspaint.exe
1620	mspaint.exe
2312	mspaint.exe
2312	mspaint.exe
2312	mspaint.exe
1620	mspaint.exe
1620	mspaint.exe
1620	mspaint.exe
4920	mspaint.exe
4920	mspaint.exe
4920	mspaint.exe
4920	mspaint.exe
3396	mspaint.exe
4140	mspaint.exe
3396	mspaint.exe
3396	mspaint.exe
3396	mspaint.exe
4140	mspaint.exe
4140	mspaint.exe
4140	mspaint.exe
5076	mspaint.exe
2360	mspaint.exe
5076	mspaint.exe
5076	mspaint.exe
5076	mspaint.exe
2360	mspaint.exe
2360	mspaint.exe
2360	mspaint.exe
4432	mspaint.exe
4432	mspaint.exe
4432	mspaint.exe
4432	mspaint.exe
3760	mspaint.exe
4420	mspaint.exe
3760	mspaint.exe
3760	mspaint.exe
3760	mspaint.exe
4420	mspaint.exe
4420	mspaint.exe
4420	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3696	3752	powershell.exe	84
PID 3752 wrote to memory of 3696	3752	powershell.exe	84
PID 3752 wrote to memory of 1520	3752	powershell.exe	85
PID 3752 wrote to memory of 1520	3752	powershell.exe	85
PID 3752 wrote to memory of 660	3752	powershell.exe	88
PID 3752 wrote to memory of 660	3752	powershell.exe	88
PID 3752 wrote to memory of 4844	3752	powershell.exe	90
PID 3752 wrote to memory of 4844	3752	powershell.exe	90
PID 3752 wrote to memory of 1472	3752	powershell.exe	91
PID 3752 wrote to memory of 1472	3752	powershell.exe	91
PID 3752 wrote to memory of 4992	3752	powershell.exe	92
PID 3752 wrote to memory of 4992	3752	powershell.exe	92
PID 3752 wrote to memory of 1588	3752	powershell.exe	93
PID 3752 wrote to memory of 1588	3752	powershell.exe	93
PID 3752 wrote to memory of 3656	3752	powershell.exe	94
PID 3752 wrote to memory of 3656	3752	powershell.exe	94
PID 3752 wrote to memory of 4244	3752	powershell.exe	95
PID 3752 wrote to memory of 4244	3752	powershell.exe	95
PID 3752 wrote to memory of 2676	3752	powershell.exe	96
PID 3752 wrote to memory of 2676	3752	powershell.exe	96
PID 3752 wrote to memory of 4656	3752	powershell.exe	97
PID 3752 wrote to memory of 4656	3752	powershell.exe	97
PID 3752 wrote to memory of 1500	3752	powershell.exe	98
PID 3752 wrote to memory of 1500	3752	powershell.exe	98
PID 3752 wrote to memory of 3056	3752	powershell.exe	99
PID 3752 wrote to memory of 3056	3752	powershell.exe	99
PID 3752 wrote to memory of 2312	3752	powershell.exe	100
PID 3752 wrote to memory of 2312	3752	powershell.exe	100
PID 3752 wrote to memory of 1464	3752	powershell.exe	101
PID 3752 wrote to memory of 1464	3752	powershell.exe	101
PID 3752 wrote to memory of 1620	3752	powershell.exe	102
PID 3752 wrote to memory of 1620	3752	powershell.exe	102
PID 3752 wrote to memory of 2788	3752	powershell.exe	103
PID 3752 wrote to memory of 2788	3752	powershell.exe	103
PID 3752 wrote to memory of 4920	3752	powershell.exe	104
PID 3752 wrote to memory of 4920	3752	powershell.exe	104
PID 3752 wrote to memory of 4908	3752	powershell.exe	105
PID 3752 wrote to memory of 4908	3752	powershell.exe	105
PID 3752 wrote to memory of 3396	3752	powershell.exe	106
PID 3752 wrote to memory of 3396	3752	powershell.exe	106
PID 3752 wrote to memory of 3744	3752	powershell.exe	108
PID 3752 wrote to memory of 3744	3752	powershell.exe	108
PID 3752 wrote to memory of 4140	3752	powershell.exe	109
PID 3752 wrote to memory of 4140	3752	powershell.exe	109
PID 3752 wrote to memory of 4896	3752	powershell.exe	110
PID 3752 wrote to memory of 4896	3752	powershell.exe	110
PID 3752 wrote to memory of 5076	3752	powershell.exe	111
PID 3752 wrote to memory of 5076	3752	powershell.exe	111
PID 3752 wrote to memory of 3288	3752	powershell.exe	112
PID 3752 wrote to memory of 3288	3752	powershell.exe	112
PID 3752 wrote to memory of 2360	3752	powershell.exe	113
PID 3752 wrote to memory of 2360	3752	powershell.exe	113
PID 3752 wrote to memory of 3084	3752	powershell.exe	115
PID 3752 wrote to memory of 3084	3752	powershell.exe	115
PID 3752 wrote to memory of 4432	3752	powershell.exe	116
PID 3752 wrote to memory of 4432	3752	powershell.exe	116
PID 3752 wrote to memory of 5004	3752	powershell.exe	117
PID 3752 wrote to memory of 5004	3752	powershell.exe	117
PID 3752 wrote to memory of 3760	3752	powershell.exe	118
PID 3752 wrote to memory of 3760	3752	powershell.exe	118
PID 3752 wrote to memory of 4252	3752	powershell.exe	119
PID 3752 wrote to memory of 4252	3752	powershell.exe	119
PID 3752 wrote to memory of 4420	3752	powershell.exe	120
PID 3752 wrote to memory of 4420	3752	powershell.exe	120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sussy.ps1
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3696
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1520
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:660
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4844
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1472
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4992
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1588
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3656
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4244
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4656
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3056
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1464
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2788
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4920
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4908
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3396
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3744
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4140
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4896
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3288
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2360
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3084
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4432
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5004
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3760
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4252
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4420
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2392
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2284
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:396
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5156
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5164
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5216
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5236
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5284
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5364
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5376
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5432
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5440
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5500
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5532
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5576
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5592
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5624
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5632
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5716
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5784
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5852
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5868
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5924
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5932
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5988
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:6020
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6064
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6072
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6140
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:2068
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3180
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3264
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6056
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:6132
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6200
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6208
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6216
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:6224
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6368
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6376
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6432
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6464
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6488
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:6500
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6572
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6580
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6620
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6628
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6708
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:6716
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6744
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6796
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6840
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6848
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6916
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6924
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6984
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:6992
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7004
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7012
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7116
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:7124
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2408
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6428
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7096
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3452
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7212
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7224
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7292
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7300
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7308
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:7316
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7420
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7428
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7436
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7444
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7456
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:7464
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7628
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7636
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7696
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7708
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7772
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7780
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7844
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:7852
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7916
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:7924
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7980
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:7988
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7996
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8004
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8016
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8120
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8188
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6324
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:7836
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:7904
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8248
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8260
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8320
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8328
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8372
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:8416
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8460
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:8468
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8528
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8536
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8616
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:8624
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8684
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8692
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8756
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:8764
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8772
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8780
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8788
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8796
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8956
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:8964
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9020
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:9028
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9092
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9100
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9164
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:9172
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8216
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3300
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:8924
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:9224
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9336
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:9344
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9452
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:9476
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9572
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9588
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9644
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9652
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9712
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9720
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9792
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9804
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9856
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9864
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9920
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9928
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9996
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10008
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10060
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10068
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10124
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10140
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10192
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10200
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9248
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:1980
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10244
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10252
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10320
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10328
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10392
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10400
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10464
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10472
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10528
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10540
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10596
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10604
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10656
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10668
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10728
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10736
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10792
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10804
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10856
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10864
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10924
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10936
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:10984
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10992
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11048
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11060
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11116
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11124
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11184
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11196
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11248
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11256
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5088
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9324
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9316
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9308
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9388
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9748
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:9304
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:10356
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11508
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11516
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11572
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11604
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11644
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11652
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11708
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11736
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11772
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11780
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11836
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11848
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11904
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11912
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11968
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:11980
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12032
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12040
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12100
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12112
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12164
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12172
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12228
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12240
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:11176
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:9428
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12328
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12336
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12376
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12408
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12456
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12464
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12516
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12528
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12588
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12596
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12652
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12664
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12716
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12724
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12780
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12796
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12844
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12852
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12912
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12920
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:12976
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:12984
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13028
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13040
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13108
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13116
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13136
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13144
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13152
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13160
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13168
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13176
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13184
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13192
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13200
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13208
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13480
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13488
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13496
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13504
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13512
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13520
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13528
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13536
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13544
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13552
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13808
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13816
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13824
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13832
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13840
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13848
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13856
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13864
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13872
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13880
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:13888
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:13896
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:14212
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:14220
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:14276
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:14288
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3576
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3192
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4780
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:2664
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1528
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:3568
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3208
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2yfjjhv3.vge.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
fd902f51eaa559a05d69043991ccfe03

SHA1
ed9d25f306f7bbebc91aeb6159b614c53380c5e0

SHA256
ee7623af21b336486f28d8c2e9d014d8a93689882f9ab9aaffdf02138d9d2c5b

SHA512
6dcb868ae79f4a02600bb305953580ab5b830febc28575b6f99d49005b9eed92291b0054a624b2f8b7c225506a16dc679bae9db9f0177a5ef5b09980b6424ae1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
75d0f2acc082f01ee466f7c54f9b3e07

SHA1
078ee579af739b22676ce6468812ae342d3b7931

SHA256
e8dc6e37116f04d500f5588dd365406b4487a36e4e9dd83bf0c08154c6fed0de

SHA512
92278bbe61c3dfa5c975f34d7514537e9fb7fba5262cb7422bfb4e8a087dfabe9549f25b3921067fb2335948007ea75e07bd037bc5bda2a6178af095511d6d4a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
34a06a9d02e46c7edfa389455890b576

SHA1
b1aecc6d647e755466085a04f5d5efbbdeb2b974

SHA256
5c5c441a490ee73efdf51a22f0c7296bc4476fd2422799748101ea9103d963d0

SHA512
37d1ed7162b1747769b3a69cd50c76bcf09fdc395fd65a7ae8c6146659dcc8f11bc1f3d5b4ae473aae127d35940af39e0bc542e4ef37d6245ccd210d77caabd9

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
81afc09ef205efda95406b7a8961c099

SHA1
ca7457b99a2545d19c4a64bb59c352e35c9ff859

SHA256
d5cce087de385ec2aba72d41e46ebb72bf4a120d1bd930ef0dc0ed68f82b73e1

SHA512
07cb84dfa297adc0caae8fdd994e691b55e6bf7b6315234b860269d2cda9c1482a094e93f9642ea86433c93dc306dd196864d1d2ef4ca139c73fca747d7b1e67

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
efdc1cd210ae67a8b9e7e7d2b71db066

SHA1
c9577df5fb24b4294c92a07aa851024243b35b12

SHA256
d2cb2fb45f5c64b3b8178ff4dc0edcdaaf83b15ab417985fcfd7951774368fc3

SHA512
eef4c71ea7353410c6f287838cea4f0154687835b2254b01e0e0234ee6cb79dd6c2d3e446ce25e6c3079266a69eb73ae779705f7dbf21d91a14e16f16b81775d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
7eaea71f167c1484d0323bfde8fe30b4

SHA1
c98f2d841ec63bf3bc72e5c83140226d5eb3442d

SHA256
d05539a89d422b32fa57445c68e726223bd52cb9106a7663c73f3c8bf77e4612

SHA512
956789f0a79b0c5b035a0f9cf23ae74d237f5cb66b46d34ac23b6a543454ff427d007e3f2a19502e75b8f9834b6fb7a3941f57cfe2e970914c93f287730b3db2

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
16KB

MD5
5a33628dba32961d2c38942fe7c36268

SHA1
119d6b57bf364847e65e08ca4c06015f5ea22e5c

SHA256
f99a2f0bfe9022cf72b805a332cc1150007a1912c67190eef01ed5d30b172a30

SHA512
846be4d7501c9ae41d87e8e6d32f92baa245f15e83e8fca7574c16db669b2bcf3f4ef9feadb185821a996d50bd126e3f05a00772bac6f6f9ca6b0825ce474a4f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
46fd022ebe3d93009d7fa3361ee52684

SHA1
fda52bfaa5afdd82c6cb66dcd44285e01c4b190a

SHA256
a7c232a99fa4ef7cf3b13138d336d2a7c398fef1fd789ea8d16fa246ba5ef5ca

SHA512
1efd3abae50b1a94bbfb6d57bf3e1860725f04ccedea58be6826a841de8811eaa189277e67fb89ccfa854592b49317724f7d9dfdd67de00218a591f93e42c8fd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
19KB

MD5
731c824447044d5910dbf8b184442e25

SHA1
6fd9487f5004d8c407c3cbee6a48f6fa01fd0d9e

SHA256
8ef548252d6cf515544f5f0a22c6cda2c764b8da07bdb04f5e5dc5219ff03c6e

SHA512
7ff518c7438f64723eb5b5d4b4d7e7968d1d818cef120bf3ba331efce37c86b95a0d2221c0545946b0bcabefa1719f08e3329a44cde9c6ba26446eb0cc581868

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
b72d6230e87f035a7457cc4096a8f622

SHA1
93b92d5baf8969d52d0c13ec4f3a0a3eb2102828

SHA256
0bb46de5c9cd2ef7ea2ca3bbbae8a65bb89e29deec7922f1498357043fa3c519

SHA512
f88c764efe7418104c666a8daf6ce4e147a8f6d879d06286b7f03c0c5f2cae93553d506bc1ec52d19656ab025f1973711d47c061548a354f9c7175219b55e0d1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
f30ef3ed7e0c01827aafae99bdf4a2fb

SHA1
020d134d4e82eb1e6ec7f119822c510e312b2dc2

SHA256
8c061c55ab277658c6f7acf3ffccd54135d92a19a23c64f55d4726f75c5cec29

SHA512
a8554c94c52c0744d13d8f2044483032eef4987b6f587389af5f12e02635a25b15fc9c1fc9ebe9c34157ced2dc851ddc50951a66189b13dee9000777adb35000

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
ba2b7251f0e3af025e5b991e4e5a4122

SHA1
90bbc728a80e0a58d59c866afb85d2f3c7220081

SHA256
b2376951955713922723ff5bc496c48a66dc38102b11abb1510c078379f8ee8c

SHA512
d68cc857fe24a55f25e81ea87fea0e8c1dece39e6f32b995ea7cd9cf13acb926d3920aad24d8d69bdea638570791d52fa065112137c4135e9fcc8b6b9f01e457

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
7557b801331fc32f7188d5e4aaa55883

SHA1
5a043e3b0f6bda2c9fb3af61429e7b3bdd7891a6

SHA256
99cb7220e3e369ba85a3d5b614ac1f9f59ba41d3084b29ba6f00a5c0db4cef17

SHA512
65affe0ae2d7ed69229611420f8d4e558655f10ca9dd9a3bce2c7f165e9f10dc979d22790fea6af17418df64887b98a1689ee2d1ce0541b037823c24adca48b1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
28KB

MD5
b7670f1fb1987f4f23f88d73f1a1c5ce

SHA1
6bbfb8eba60bc3cc194f50dbaac9b8b31736210a

SHA256
e6be933913e81decb16411030cefff5a255097c5c2a42dff154585176dc5f586

SHA512
1dcd603498c975aa6168df9a4f2c58058b5130e0a241d555f71ddb9550dfe531ea09c40699fa715211b3bfd83bd663ed398e46bea95244886c59f1340337619e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
42aca6a23b48f8cc770a0f1bf545ccb3

SHA1
837a958b7407c6f27c0622fdc8cda9cdcc8a1505

SHA256
475a5358ae352aed137ccd6c54e5796a82a7e75ee7404352d88e3d1c401860a4

SHA512
5e9ad1281a24f1f21b9d4d77c9b475004e2ba742e700e191cb1f3f2b30104dda011775d0f57c8e7501af05177dc80f3a81dfb15b986c47cbd0334c8668058e23

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
31KB

MD5
ef497fa4840e286a14f46df46e0cca01

SHA1
750c9e16a5fb8afb850a9d8f8dc74c95f136e0cb

SHA256
2c4fe0e702a606e346a291d3907eaf584add601603c60a5d11f217252b8ef6df

SHA512
8d88c3a222a04a03d7c3971ed830c2459f7ef65135038d60146cb6f78875e5cd4fd6951bf2a7e608615d83004b49276ef32a9fa10d13845d9234cffaba6d06cd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
34KB

MD5
320a7fb1d9d7a456ed71ffb6623b217b

SHA1
73d51687b4de10c7a6a3c5ce32647e48c0f71710

SHA256
eb666d0a7371b18e255af1509f5c8e2db73b1b21d1f52e5e1b25a593aa499c67

SHA512
63384f4984c3256a9f02aba020ba2cf96bc4b564e68d31182de32c5296a51f98e305f118c4da5fa50a0f292ccad380150f17c687dfef564fba97e8657d4a8f8e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
4d62ffb80ea9aa4689cca7f993e9cf46

SHA1
d1bd707298fe83e430f44a5db8b80696e922d02c

SHA256
0c76a10a5549266b248a3f6084617929548d601978ee6858803891f0eb65d28d

SHA512
60006d7b852f7c9079e9acc079aee13eabc4500da9271c00ff754d5bab78640dae54a7b62864ca935f377c51a3a5a7736e73fecdfb277cb28616024ae4a02368

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
37KB

MD5
1a0c54dfdb00cef73c95154ee5b3c64b

SHA1
f805b4ed80583b7c6a580c68f1639caeff9222d0

SHA256
9f06abbe7c08c5b6ae6ed0bd9d34eff2683c02232a7036dbdeb7b9345606fac5

SHA512
945a704d8ef02fbfdddf2bcba219901e9977f5579fefb5baa5abef69c716030166172a0596fb0482d5556d6f140ad2a68666f6e68f736a55ed6d3567f82183fd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
5847f023665579e61ea348fe6a0a2f22

SHA1
34856d8fc3c5b7f17dc39f4a635c7629037e5224

SHA256
aa558062a228b17bce650b89093249a8d0541d3f62edef4863bbceea3ad950a8

SHA512
374ab92f8a76737d9914b9b98f7779159d9ab3299e2f078b92453ff4c93ddb0134774a87522c25fc12deb26d5a6dbcac458e27b9d650c254c29ca77997948ac5

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
43KB

MD5
22e9c63deda5ecdd9631cc983e2b070f

SHA1
43cb1361004714c72d2041545fa2cff4bc8002f8

SHA256
93ed5e3cfd5c2de0855f82893a02b1ec6db3fe7d028148e231add75bbad30a8f

SHA512
bbfdccf4b956ca0f2c7d836f5dca16ecb0727074f02ae094e3b9dbc2e2cc2c2a4521c86215a2df809410366a7a45c2f809db99958478836be3438a44afc00d13

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
45KB

MD5
6e57a06d56ad84b25a5ddb32a302e17c

SHA1
eea81098730b4e6ea8a8abdc6c9f18e76b3b3033

SHA256
dcce6a8c13a995758f7ac6c8f36bf7bdb98413b7c2a7d57475cbc8880625bb30

SHA512
1c8b5090f1e2d12716a72456b15e62ab083e6946090de68f7e3be19ee43e1e80b8e4f29e78300037d22f33a453094fc816880e40e060a00ccec406d922aa3fc2

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
48KB

MD5
99958179a5175e92386fb2d72ad15ecd

SHA1
466a7236649c2df6b7a2ffc82eef201d60b03304

SHA256
42dc7820e1e09d0671258a38411025f935ec994185221d52171135387139d50c

SHA512
407d7fd39729541787392d1fd231b93a716268ce3aba18cf8790280428624f572048955d801fd82be3a11a6785e4a16fff0ac26d8a339133f4ce06556a8978eb

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
49KB

MD5
fdafce5055887b548c31fec08fdc2d89

SHA1
4ef7d5ec23309d13a2ed66d44b6a0aaaa35b161a

SHA256
662d1d6347f020f1785f3f8f9cd67b756b71a221b9ef86e8df144c61b9afe76e

SHA512
d4cf50bf4d165c4cad708264dedea42dbb355b7542e78448de8494e16679fe54b7fd9ac46f5c7548bd630bd9da604ea52caf1fa261f536768b2b82ca733201b0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
51KB

MD5
d2ea7becb9414a2b18b2be1ec0270705

SHA1
020a5baa0bdb9d7b5805e59c77c66392252226eb

SHA256
6d578df7bd10cb2ca6d1173439e4d8c4e93fe0f63844a58eeecf03bd500fcffe

SHA512
c7c44660f1070d7a7215f49028c6db368702f160f28cd66cd5b32ee7132c276c52bdf68a2c4220341c25e3122069d8eaa914914b6aeab177a285302a6cc94b09

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
54KB

MD5
6ac94a80b6ba23dbc598d756b423e85d

SHA1
be8e81dc3c9d03f1cc23566fea2ee33ff90a91db

SHA256
da865356b39ca3dab57e744f14e217bae48497c83c0dfdfc2412b31111d20c1a

SHA512
1a5983dda3bf93671abf4cf82cc7a0ea87d512bd27d781f4f0ff92a0ac38a9c3c13870a55ad9ca0e86b4eff4dd69486b921039a0125308d82e2b0a444d7f8033

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
57KB

MD5
dc5ec3ca19bad486f14cc392a6569c37

SHA1
620ed2f9ad7e465664584e8b0f95bdfac472c5be

SHA256
d22abe9031ded0af0e01809f0bee80f22cca8b9e9d0e0bb747e80176ad419f4d

SHA512
9875a4f2cdc3f7ade219e1cfb0bf69f448eff03082f273a0a652ec94814505c9e00d42fa8adcf059d6bf8428519a7127100c1f1b63a266e1142e11df73f2a37a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
59KB

MD5
b802647c0f18db9e12058f1174079632

SHA1
231e657f321ed0b0c01e259f467f42d57a3cbc5f

SHA256
9d2ee571926fff382b1cc4071ae0e0dc86593d19c5d037a8cad815cf24c0add7

SHA512
571585f28b4cd9a751a0bb48c400aea6f833a5e95b505026447f7e4641347306c1cf3019b73f8f6666d38f9892d76f7cea001aa424e658b2673249e06183990e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
62KB

MD5
ea37642515bb4d24c38c98eea7254d74

SHA1
0783c954cf2c583fe46a1b81960794d224f9b4ab

SHA256
db6d0e32014d966741f319f5baa61ebff8771fdf895cbdcc7c34440157c329e7

SHA512
c301c1019c43349149e86409f0a44470b34e71799523e73ae10e5e99594152b20180847db7e869a27a15c81bce5f41fce791ab94e9189018f7458eec68082b81

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
65KB

MD5
94a1e02580aa30b9f31053a49a457046

SHA1
45a0ed6713fe2576a7ee0491cdf986927b9a9c7a

SHA256
3d9b8060533fa1566144922c1233d364bc74e058168f945bcd21b871d65c8365

SHA512
048a94c95eaad50957cf82764d528143422793eb3f9503fde7e5a4d4d85cb53d45511d637dc9097fbc67df4eb7b7a22baea4222885921cfee44ff50e36feb42c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
d11984cf894cc922c6fc8674b6abbffa

SHA1
b91b4e4c29628a5bd13767ee10e39fdda8a51329

SHA256
e06c3bbb9da28ca1c98d06aa7e46918318d9245f047c2bcc4befc2147ca4a158

SHA512
d5b21baa4af6f578de5faa316f7518d9ad779ddbb489872b9226aefbd9643dff0e9e5275749f056cdc4ff2899fa48dfb588a75886cfbc817b633b042a89793a8

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
71KB

MD5
3afcfd2b764b4cc4676ad5b440bc75f7

SHA1
a251c8c9c7e941ef8563d8eb8f9285f1f56647d0

SHA256
946ebc8689ac6ec5483d16580fbd47156380eae9f69667e18990732f0078faea

SHA512
adde7dd8e6ae8efd80b90b11e299c1db719573e3f048946e34cad2829d87c6bee955dd3118c984614b5b4c7c1c89e072a01d946c03f7bcbe8e820cb594763b96

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
72KB

MD5
8a528a5435272c6a00e5f1fcf344c557

SHA1
92086dcb317580d0bad65924c6559a6f6169e30f

SHA256
5cbea80abfb32043c459857b660c800c189747aa58808d07a37eb5ba9694bb87

SHA512
a00ee1f2705e673ad50f54a91d9472757c41bf71f704efd2f99b5d2a89e0dde43c6bd99318b6e9c6ec9a49f2098625658b98ea0b880f262ff5913b68fcd33589

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
74KB

MD5
a900135e8208d87905e37c3d57c25ea8

SHA1
6a1be92ffc840e75f7a4727ed29c865e4925ad20

SHA256
529d4b275fae674d2eb4ce772a1f99f79fde99d4fc222479676fa70df3f488f8

SHA512
8e64849320f6f480e4605b759975d386e6d4d05050d698bb83592a2c0a1a20ae32d76c2dff240ed6c275483366696a4c8738b1ced920ac06aa058f60dfe1813c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
77KB

MD5
a622672943c12a9e51f066dcca7e37f8

SHA1
fee489cd0c2867fc2de941c9122a2fb4b07af5b1

SHA256
46c5c6cc0684b8e8e7a32eab6d7f0c740306b18b70a82efc4495ef1ee3d3d55b

SHA512
305dd56a9f5adad39ab7a250481391738b4f7ebe98658f4269443fe09d636f54fdcad2eda144ef1f2f12982de51445cbc47dc85e1e0b991212184b75d7f9ebe4

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
79KB

MD5
d0901fd54cb3f8d3c0568a9d60e6f6f4

SHA1
b344a7d61ba36c47b8bc8918889314dd42195c12

SHA256
85ffe536e6495c80438fec3907fcb58a70026adfc98ad371cf6fde68f43c384d

SHA512
8c8fda9093bf8b04277975f0324e0663675b44cbf4498737106e6b547ed5c79992c3954a7ae983acec9954a69c5a09b4e4ebdc55e70666fdc66c0563c6c73209

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
80KB

MD5
215b50aa629fe70632a861058754d2e1

SHA1
83e9cd5b8511a96bdcbcd362a56e9e99aaea28bc

SHA256
3eaf7cd9dd30caf5d0475e1c4af76d39ebbd0debffb60a3f5944a3867a879a60

SHA512
8ad3e58f4c9b772e66692c59e51395b8e8344965bfbce1e2c2b7d42afec31efc904ea808b04cdfffc4026b10b2475e773a9b580c404f0f23a34a5373f89a553b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
83KB

MD5
9ce72f987a625de7d4d791a10e318323

SHA1
524b330ba5e31fe27513e2ff661698e10323dfc3

SHA256
12a998c0e56eda5da2198bb64d6875cd6e26aa910864590260087651ff1756ad

SHA512
a5f179050b0a3772dba544cfff725118c9495a549ae5416af042eb39efae327835a9d57f5d19b2c1c9895cf94bcf660af3f6d87f140ffc7d903614170647bb74

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
87KB

MD5
dc272976dab1d5d7e49df0bb492db9b7

SHA1
0acd487905f606c3d8a488fae301b3cddd52a60d

SHA256
7f92b373d6f251e781cb4fe8a3a7ea4c02427d71000d663ae792489d62992fcd

SHA512
682742c08496851247b6e630bffbe3027a047562bce2260db962b115a17a36add80489c50e95fe86c083623712ef1ad12997a8c377a93a9e3fdcf17377363c15

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
90KB

MD5
a80c259a80ff69065135919a1fd9063b

SHA1
a15163e9775385e3496fcb70c20b92cdce9d2e94

SHA256
e68a961c1b11d38ccd8ec1d06ec507f7dfaabc60eb5dbdffdb37589a08995adc

SHA512
b84a3246235db0d9726a20f5eec38313723ba5de8fc25fd664f3c9fb055bbd63d6b0a4c3bdb6f21644712e87b3accfcf799d443cb4e441a5d6d9b647cf11926a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
92KB

MD5
42f1a9692193f374a69182c0307f3c08

SHA1
51216a886dfea43271353eb295e23daca8eb23b5

SHA256
43c1c2a6a698f31aec952c7ffb22b668bf9dabfe38f9e918f83e3b6d9d4d58ac

SHA512
155dabeeebbd08b1f9e3a3d2e4df78eb7421dbbd1add634f2cd37983eb2e7a18092c92c8fd12857bf81071e24114b056987020bdbfecb5242e440957ca0ff01b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
93KB

MD5
bb0cc346db1be15841d7684a9d163340

SHA1
b89fd058e4c3cf48832d6f6a9c271755825c0420

SHA256
24b42e0b6a1245a9c68d71971b94cec010c394b9d360910eb2231bd445d5bc17

SHA512
611092829abac305960eeb337b0b4857def45a04fde2a092815331f1c29c0164435c9c0eaddb49b1e16787b73870ca4816d95dcd556e292059537e6a66fb9818

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
95KB

MD5
f56d5aaab2d79696803e5e506683af28

SHA1
d178e47c37c066cd05efd03392befd3369431061

SHA256
675abd0a82c687140e32850e513f0f7d917c924aa8ba29f35ee2a57b6cb855d1

SHA512
c7370211df23f9c300e37bf3e7831068908dc2f49564e69adce2ce664448848d3cd75ddbc1cb7a378a0058b6bc2ff80cfce5b87b173a255f8d972879c53c8c99

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
100KB

MD5
a961de271d1165a4a35b9f0cdb6e308a

SHA1
aee2ad7abdf98c15febec213cbae7585ddf07a84

SHA256
73e411db3ce88a502e5499b405999f3cbcaa51f664159556eaead8b0f1657a5e

SHA512
4a345cab2c567cb4ab37166fdb848cd90132a8ab62dac74e792c6c6c6b3e012243ee623759be6c89b53d7d6aec8f868acd3c85416c82bf73c14131d4e9101aff

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
103KB

MD5
f9b308d61d6130ded35c008ff4efc1f8

SHA1
d9b38156e415f3c87114e542684cfc884a68326c

SHA256
6d2857fbdc417aa5321cf777de724bf41f1be2249a2c6d9a7d49faa0030763d0

SHA512
2dd675fd770f37294f9590320372588a35d5b13a1aa173844b5731cbcf2d23f85355837f068c98116a42a8ee1ca096c4ce955f85a8179213f90115f708271232

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
104KB

MD5
0b6ae5098f32072d121ecedab2cb25f6

SHA1
44d846a5d373e1da08edc732cf2136abb325c867

SHA256
a2e06e33f423f300666c8e6e170d24ca266421c1344c5e79879843663dee168f

SHA512
8c346831d2918daa2138f1a366a47f1cef5c1a2b712b4e1b22e4c1ed561cca76243bcb14c653c2bc4b7e2e5029b0ba8c026a2cccf4d248766b7456a37a12f650

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
107KB

MD5
2d42755c91ea59d85932ba07b667b503

SHA1
6be70d75093c0e17af4b0127bf404ff8b0900b46

SHA256
1bc1160053fbfdeafa77d6c185886ce0053455cc3f43b1241df7f75727ac9151

SHA512
e52e32ae54fa28b337bc520451d08a771cfe6bf013c1060077cd16545eb3ac66b5dc2d3335e1dfa9f0a89e382138e91844a3150e4cb4f067de1e3eb26d392942

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
109KB

MD5
0a822fcffe10c675ddedc6ec3d1a6c97

SHA1
2528a37e4de51318d6f90d466aa14b785f8a4851

SHA256
b65b6b1221238f5267bff6e8ec3780d766321debf67208cd18bd3ee6d0bd3d40

SHA512
0a72cc374a80c84cb60ae20721dc17acc89c1a5862fc0330916dc031202b2dbfc953643aeb47aa0b02b3fb02e78368cbb238a9c9a4787ae54a45c90de226841c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
112KB

MD5
9ca8b164f3b640cc8d0fc8fb35dbbeb4

SHA1
8ac0a979e0a87f2c0e51a0610ad2c5f6d3801211

SHA256
51052c5b973efa6d94a271faa5d205edadf91a5800eb49c63f7c315389149697

SHA512
4ee83b8d9f663947582ffee62a72cbbf65e49810a71821aebcf3dbb51d9778a95c02e20739ebc546fc6a31ca685d59268b7e58c019fdd294527b09539acd7452

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
118KB

MD5
14afcabc620665d23c46c65611d0014c

SHA1
d4c5ca802f9ebebc88b09929416930f2d64537e8

SHA256
e168ef1a7d5ce7b77dfa4646e8fa7197a8be70d50658059779e37d076e2b9fcd

SHA512
bb012966a0859f965a50d690f9c22df7caf863305eff4fe6251483fb436c9f90774afb7d303ea15e2258c0d7c66c90ebc2b11c4238ed2fcd9360e9bf014aa559

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
121KB

MD5
ee8dd01085b627f8b6b37fad8c8c7b7f

SHA1
2213f9a6dc6a2cb21268244f0916e4121121cd39

SHA256
23b1c9d12be0cc1adb6f536c2240a0949cd850a071afe8bbf7e0e0fbcc57efaa

SHA512
efa2fb2cc312d7c6b004ab3418bb3a568194463ea58ab4fb9f34d854294874eb6e5b7b93117265760d394402f1c6d781aa023dd1cc4d62f741d386409a6530d9

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
122KB

MD5
71dd8393f5c0dc40f7ec3ad2922710f4

SHA1
a5dc10c0a9286fefcf244aff654f134543bc47e2

SHA256
10659118ccee74676089b2857d29636cf1446cab0258e2934d4463eba58688ef

SHA512
e97978aca7f0b1c32ab192a8ec80b0856308d0d9f528e9b418b84e0c392b0eed33489ec645b0224e9100cf2478be15960735c7f74c3bb8fb1e4b498e23b4c78e

Download Submit
memory/3752-9-0x000002174C5C0000-0x000002174C5E2000-memory.dmp

Filesize
136KB

Download
memory/3752-10-0x00007FFCC4850000-0x00007FFCC5311000-memory.dmp

Filesize
10.8MB

Download
memory/3752-11-0x000002174A340000-0x000002174A350000-memory.dmp

Filesize
64KB

Download
memory/3752-12-0x000002174A340000-0x000002174A350000-memory.dmp

Filesize
64KB

Download
memory/3752-13-0x000002174A340000-0x000002174A350000-memory.dmp

Filesize
64KB

Download
memory/3752-79-0x00007FFCC4850000-0x00007FFCC5311000-memory.dmp

Filesize
10.8MB

Download
memory/3752-80-0x000002174A340000-0x000002174A350000-memory.dmp

Filesize
64KB

Download
memory/3752-81-0x000002174A340000-0x000002174A350000-memory.dmp

Filesize
64KB

Download
memory/3752-84-0x00007FFCC4850000-0x00007FFCC5311000-memory.dmp

Filesize
10.8MB

Download