5c9a27645f428c4479f33cab9c05f70a6b6778b902a2cb53842d7506918d1c93

Analysis

max time kernel
110s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 12:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.vbs
Size

933B
MD5

21107479a0b22f97279331776497f424
SHA1

d7661427c9ba6a05d1a3fac3738db427b21473c7
SHA256

5c9a27645f428c4479f33cab9c05f70a6b6778b902a2cb53842d7506918d1c93
SHA512

e05374e11edff902eaaee3101e2bd8d19f6b92663b97ba8cb3c5dd8843607c04d78fc29782bf9f558a6c66392bf2f635085a2fedc760d41cc923a70bb248cc81

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2528	WINWORD.EXE
2152	WINWORD.EXE
2408	WINWORD.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2528	WINWORD.EXE
2152	WINWORD.EXE
2408	WINWORD.EXE
2152	WINWORD.EXE
2408	WINWORD.EXE
2700	notepad.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2816	wordpad.exe
2304	mspaint.exe
2816	wordpad.exe
2816	wordpad.exe
2532	mspaint.exe
2648	wordpad.exe
2648	wordpad.exe
2304	mspaint.exe
2532	mspaint.exe
2648	wordpad.exe
2432	mspaint.exe
2432	mspaint.exe
2532	mspaint.exe
2304	mspaint.exe
2532	mspaint.exe
2304	mspaint.exe
604	wordpad.exe
604	wordpad.exe
604	wordpad.exe
2432	mspaint.exe
2432	mspaint.exe
2528	WINWORD.EXE
2152	WINWORD.EXE
2408	WINWORD.EXE
548	mspaint.exe
2716	mspaint.exe
548	mspaint.exe
2716	mspaint.exe
2528	WINWORD.EXE
2408	WINWORD.EXE
2152	WINWORD.EXE
1596	wordpad.exe
1596	wordpad.exe
240	wordpad.exe
2152	WINWORD.EXE
2408	WINWORD.EXE
240	wordpad.exe
1596	wordpad.exe
1056	mspaint.exe
548	mspaint.exe
548	mspaint.exe
240	wordpad.exe
1768	mspaint.exe
2716	mspaint.exe
2716	mspaint.exe
1056	mspaint.exe
2816	wordpad.exe
2816	wordpad.exe
1768	mspaint.exe
860	wordpad.exe
860	wordpad.exe
2980	wordpad.exe
2980	wordpad.exe
860	wordpad.exe
2648	wordpad.exe
2648	wordpad.exe
1056	mspaint.exe
1056	mspaint.exe
2980	wordpad.exe
1768	mspaint.exe
1768	mspaint.exe
2484	mspaint.exe
2112	mspaint.exe
336	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2152	2292	WScript.exe	28
PID 2292 wrote to memory of 2152	2292	WScript.exe	28
PID 2292 wrote to memory of 2152	2292	WScript.exe	28
PID 2292 wrote to memory of 2152	2292	WScript.exe	28
PID 2292 wrote to memory of 2304	2292	WScript.exe	29
PID 2292 wrote to memory of 2304	2292	WScript.exe	29
PID 2292 wrote to memory of 2304	2292	WScript.exe	29
PID 2292 wrote to memory of 2040	2292	WScript.exe	30
PID 2292 wrote to memory of 2040	2292	WScript.exe	30
PID 2292 wrote to memory of 2040	2292	WScript.exe	30
PID 2292 wrote to memory of 2816	2292	WScript.exe	31
PID 2292 wrote to memory of 2816	2292	WScript.exe	31
PID 2292 wrote to memory of 2816	2292	WScript.exe	31
PID 2292 wrote to memory of 2760	2292	WScript.exe	32
PID 2292 wrote to memory of 2760	2292	WScript.exe	32
PID 2292 wrote to memory of 2760	2292	WScript.exe	32
PID 2292 wrote to memory of 3004	2292	WScript.exe	34
PID 2292 wrote to memory of 3004	2292	WScript.exe	34
PID 2292 wrote to memory of 3004	2292	WScript.exe	34
PID 2292 wrote to memory of 2908	2292	WScript.exe	35
PID 2292 wrote to memory of 2908	2292	WScript.exe	35
PID 2292 wrote to memory of 2908	2292	WScript.exe	35
PID 2292 wrote to memory of 2948	2292	WScript.exe	36
PID 2292 wrote to memory of 2948	2292	WScript.exe	36
PID 2292 wrote to memory of 2948	2292	WScript.exe	36
PID 2292 wrote to memory of 1800	2292	WScript.exe	37
PID 2292 wrote to memory of 1800	2292	WScript.exe	37
PID 2292 wrote to memory of 1800	2292	WScript.exe	37
PID 2292 wrote to memory of 2528	2292	WScript.exe	38
PID 2292 wrote to memory of 2528	2292	WScript.exe	38
PID 2292 wrote to memory of 2528	2292	WScript.exe	38
PID 2292 wrote to memory of 2528	2292	WScript.exe	38
PID 2292 wrote to memory of 2532	2292	WScript.exe	39
PID 2292 wrote to memory of 2532	2292	WScript.exe	39
PID 2292 wrote to memory of 2532	2292	WScript.exe	39
PID 2292 wrote to memory of 2540	2292	WScript.exe	40
PID 2292 wrote to memory of 2540	2292	WScript.exe	40
PID 2292 wrote to memory of 2540	2292	WScript.exe	40
PID 2292 wrote to memory of 2648	2292	WScript.exe	42
PID 2292 wrote to memory of 2648	2292	WScript.exe	42
PID 2292 wrote to memory of 2648	2292	WScript.exe	42
PID 1800 wrote to memory of 2408	1800	wscript.exe	43
PID 1800 wrote to memory of 2408	1800	wscript.exe	43
PID 1800 wrote to memory of 2408	1800	wscript.exe	43
PID 1800 wrote to memory of 2408	1800	wscript.exe	43
PID 2292 wrote to memory of 2396	2292	WScript.exe	44
PID 2292 wrote to memory of 2396	2292	WScript.exe	44
PID 2292 wrote to memory of 2396	2292	WScript.exe	44
PID 1800 wrote to memory of 2432	1800	wscript.exe	46
PID 1800 wrote to memory of 2432	1800	wscript.exe	46
PID 1800 wrote to memory of 2432	1800	wscript.exe	46
PID 2292 wrote to memory of 2840	2292	WScript.exe	47
PID 2292 wrote to memory of 2840	2292	WScript.exe	47
PID 2292 wrote to memory of 2840	2292	WScript.exe	47
PID 1800 wrote to memory of 2448	1800	wscript.exe	48
PID 1800 wrote to memory of 2448	1800	wscript.exe	48
PID 1800 wrote to memory of 2448	1800	wscript.exe	48
PID 2292 wrote to memory of 2360	2292	WScript.exe	49
PID 2292 wrote to memory of 2360	2292	WScript.exe	49
PID 2292 wrote to memory of 2360	2292	WScript.exe	49
PID 1800 wrote to memory of 604	1800	wscript.exe	51
PID 1800 wrote to memory of 604	1800	wscript.exe	51
PID 1800 wrote to memory of 604	1800	wscript.exe	51
PID 2292 wrote to memory of 2016	2292	WScript.exe	52

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2040
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2760
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3004
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:2908
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2948
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2408
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2432
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2448
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2000
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1348
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:924
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:2728
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:2664
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:1500
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1768
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3056
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3016
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2412
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:2676
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1668
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:2148
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:1772
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        Drops file in Windows directory
        
        PID:3124
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:3384
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:3632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3880
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:3188
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:3844
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:3524
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:4608
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        6⤵
        
        PID:5092
      - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        6⤵
        Drops file in Windows directory
        
        PID:4776
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:5756
      - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        6⤵
        
        PID:3872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        
        PID:6236
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        
        PID:6772
      - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        6⤵
        
        PID:6976
      - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        6⤵
        
        PID:7268
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        6⤵
        
        PID:7224
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        7⤵
        
        PID:4264
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        6⤵
        
        PID:2216
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:5004
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        Drops file in Windows directory
        
        PID:4884
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5572
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6088
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6652
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:5452
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:5688
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:8024
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        6⤵
        
        PID:440
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:7484
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8676
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:2368
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:2600
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3324
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:3564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3792
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4064
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:3536
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3500
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:4408
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:4988
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        Drops file in Windows directory
        
        PID:4316
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5560
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6064
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:5816
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6616
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:5492
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:7080
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:7928
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        6⤵
        
        PID:3948
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:6616
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8640
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:4872
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:4492
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5372
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5248
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6484
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:7072
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5440
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:7660
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:4796
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8612
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:7720
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8328
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:1132
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1056
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:864
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1608
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:2568
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:2312
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:2472
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:2384
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:2236
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:2740
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3260
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:3512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3740
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4016
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:3472
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1740
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:4324
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:4928
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        Drops file in Windows directory
        
        PID:4132
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5468
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:5680
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6536
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:7124
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:5812
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:7784
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        6⤵
        
        PID:7044
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:4980
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8472
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:4808
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:3640
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5296
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5716
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6420
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6960
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5532
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:7544
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:7248
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8584
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:2928
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8260
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:3048
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:2108
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3196
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3432
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3664
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:3956
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:1900
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:3952
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:4196
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:4788
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:1932
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5284
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2052
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6452
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6980
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5768
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:7560
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:7100
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8532
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:5856
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8252
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:4704
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:4060
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4688
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5328
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:6264
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:6796
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:6508
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:7296
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:4580
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8220
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:6424
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:8032
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2528
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2532
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2540
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2396
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2840
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:2360
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2016
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  PID:908
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:476
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2288
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:576
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:2224
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:872
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:2464
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:2596
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:1788
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:2268
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1508
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:1040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3092
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3356
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:3600
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3864
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:4092
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:3940
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        Drops file in Windows directory
        
        PID:4144
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:4656
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:5032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3776
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5668
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:6136
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6200
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:6720
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        6⤵
        
        PID:5832
      - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        6⤵
        
        PID:7444
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:4480
      - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        6⤵
        
        PID:6220
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:6712
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7212
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8168
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7764
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:3444
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:2168
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4520
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2136
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5460
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6024
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5280
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:6552
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:6528
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6140
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8096
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:5892
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:7152
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7012
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7772
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6304
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8428
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:1868
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2020
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3020
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:3268
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:3520
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:3756
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:4036
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:3720
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:2684
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4528
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3844
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5516
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6036
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3616
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:6588
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:5464
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7196
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8152
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6384
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:6288
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6560
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7828
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:8064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8556
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:3504
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:3960
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4352
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3488
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5312
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5888
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:5700
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:6396
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:7160
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5952
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7796
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8488
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:6920
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:6732
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:7516
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:8276
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:2132
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:548
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2700
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2012
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1052
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:2968
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1524
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  PID:2732
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:1708
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:336
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1052
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2348
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:3280
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:3528
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:3764
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:4024
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:3972
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:1860
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4508
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3452
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5452
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6016
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5724
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:6568
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
        5⤵
        
        PID:6576
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5592
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8124
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7052
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:5976
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:3724
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7852
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8568
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:3684
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:4032
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4332
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3484
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5276
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5880
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:1948
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:6444
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:1348
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6028
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7820
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:6688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8548
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:6952
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:6076
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:7536
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:8284
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:1248
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2460
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2540
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3204
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:3444
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3672
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  PID:3964
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:3280
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:2708
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4344
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:4308
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5304
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5920
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:5752
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:6428
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
      4⤵
      PID:1660
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1724
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7804
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8496
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:6968
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:5880
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:7572
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3912
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:8300
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:3180
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:3736
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4188
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:4696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5100
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:5012
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:5764
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:5340
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  PID:6256
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    PID:6944
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:5912
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:7508
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4104
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:8228
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:6788
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6464
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7288
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:3424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1159897762-1058773891-1518233454-766330908-1157937597722899064-1058823794-1527208326"
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

Filesize
36KB

MD5
bd8185df280ad739d2fe61648e1f5b7a

SHA1
5cedbd8644d152254267525265eb3221a99838a2

SHA256
518b0e260b843a542b3ff3b81a71863c94a080b6a42607da62bcbecbec518a86

SHA512
c72060b3b800eb70a63697d1aa9d027286d594a6f5558019ff0e637b6e951305ea872670457461c7ba1f3ecb4429a089e7a1bc4a6280225fef927d89d61c939d

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD

Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
memory/240-71-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/336-45-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/336-61-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/476-51-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/476-20-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/548-21-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/548-26-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/604-43-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1056-35-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1056-27-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/1132-57-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1132-23-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/1248-75-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1248-37-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/1500-59-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1500-24-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/1596-68-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1708-38-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/1708-78-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1768-36-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/1768-32-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/1772-54-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/1788-40-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/1868-79-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1868-39-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/2108-69-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2108-62-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2112-60-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2112-44-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2132-19-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/2132-49-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2152-2-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/2152-17-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2152-29-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2236-52-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/2268-64-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2268-47-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2304-10-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2304-6-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2368-53-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/2408-31-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2408-18-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2408-5-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/2432-12-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2432-9-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2484-42-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2484-58-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2528-3-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/2528-16-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2528-13-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2528-28-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2532-7-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2532-11-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2600-77-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2600-65-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2648-34-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2716-30-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/2716-22-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2716-41-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/2740-72-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2740-63-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/2816-33-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/3048-50-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

Filesize
4KB

Download
memory/3124-66-0x000007FEF5D20000-0x000007FEF5D6C000-memory.dmp

Filesize
304KB

Download
memory/3124-80-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download