89823230ff41fa35bd4391d894e79bb4cb3fd3547a7477b7ccb349cbf3224ace

Analysis

max time kernel
1800s
max time network
1149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DONOTRUN.bat
Size

838B
MD5

8c7db2766af9e5116cdb4f4b052c07f5
SHA1

4703b43ae611ed0eb50944533437c3e37b0e2011
SHA256

89823230ff41fa35bd4391d894e79bb4cb3fd3547a7477b7ccb349cbf3224ace
SHA512

2e8b8df3ac745baa0251c0bccf42d898818f15e9478fd51483f154bdd1b3bf6a416a6c22ff13be56be472c068385861b4d7dd99052c2b71a53ad8e5128516ac7

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Autodmsnap.lnk	powershell.exe

Drops file in Windows directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	control.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	powershell.exe
2740	powershell.exe
2392	mspaint.exe
2392	mspaint.exe
2116	mspaint.exe
2116	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
1072	mspaint.exe
1072	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
400	mspaint.exe
400	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
4644	mspaint.exe
4644	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
5144	mspaint.exe
5144	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
5496	mspaint.exe
5496	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
5852	mspaint.exe
5852	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
4452	mspaint.exe
4452	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
5592	mspaint.exe
5592	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
5708	mspaint.exe
5708	mspaint.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
6480	mspaint.exe
6480	mspaint.exe
6676	mspaint.exe
6676	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	Taskmgr.exe
2592	cmd.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2516	Taskmgr.exe
Token: SeSystemProfilePrivilege	2516	Taskmgr.exe
Token: SeCreateGlobalPrivilege	2516	Taskmgr.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeCreatePagefilePrivilege	1336	explorer.exe
Token: SeCreateGlobalPrivilege	12144	dwm.exe
Token: SeChangeNotifyPrivilege	12144	dwm.exe
Token: 33	12144	dwm.exe
Token: SeIncBasePriorityPrivilege	12144	dwm.exe
Token: SeShutdownPrivilege	12144	dwm.exe
Token: SeCreatePagefilePrivilege	12144	dwm.exe
Token: SeShutdownPrivilege	12144	dwm.exe
Token: SeCreatePagefilePrivilege	12144	dwm.exe
Token: SeShutdownPrivilege	12144	dwm.exe
Token: SeCreatePagefilePrivilege	12144	dwm.exe
Token: SeShutdownPrivilege	12144	dwm.exe
Token: SeCreatePagefilePrivilege	12144	dwm.exe
Token: SeShutdownPrivilege	12144	dwm.exe
Token: SeCreatePagefilePrivilege	12144	dwm.exe
Token: SeShutdownPrivilege	12144	dwm.exe
Token: SeCreatePagefilePrivilege	12144	dwm.exe
Token: SeCreateGlobalPrivilege	9496	dwm.exe
Token: SeChangeNotifyPrivilege	9496	dwm.exe
Token: 33	9496	dwm.exe
Token: SeIncBasePriorityPrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe
Token: SeShutdownPrivilege	9496	dwm.exe
Token: SeCreatePagefilePrivilege	9496	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
1336	explorer.exe
1336	explorer.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe
2516	Taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2392	mspaint.exe
2392	mspaint.exe
2476	wordpad.exe
2392	mspaint.exe
2392	mspaint.exe
2476	wordpad.exe
2476	wordpad.exe
2116	mspaint.exe
2476	wordpad.exe
2476	wordpad.exe
4484	wordpad.exe
4484	wordpad.exe
4484	wordpad.exe
2116	mspaint.exe
2116	mspaint.exe
2116	mspaint.exe
1072	mspaint.exe
1072	mspaint.exe
1072	mspaint.exe
1072	mspaint.exe
4848	wordpad.exe
4848	wordpad.exe
4848	wordpad.exe
4484	wordpad.exe
4484	wordpad.exe
4848	wordpad.exe
4848	wordpad.exe
3520	OpenWith.exe
1332	OpenWith.exe
400	mspaint.exe
400	mspaint.exe
400	mspaint.exe
400	mspaint.exe
404	wordpad.exe
404	wordpad.exe
404	wordpad.exe
1424	OpenWith.exe
404	wordpad.exe
404	wordpad.exe
4644	mspaint.exe
4644	mspaint.exe
4644	mspaint.exe
4644	mspaint.exe
1228	wordpad.exe
1228	wordpad.exe
1228	wordpad.exe
1228	wordpad.exe
1228	wordpad.exe
4064	OpenWith.exe
5144	mspaint.exe
3908	OpenWith.exe
5196	wordpad.exe
5196	wordpad.exe
5196	wordpad.exe
5196	wordpad.exe
5196	wordpad.exe
5144	mspaint.exe
5144	mspaint.exe
5144	mspaint.exe
5496	mspaint.exe
5496	mspaint.exe
5496	mspaint.exe
5496	mspaint.exe
5608	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2592	1320	cmd.exe	86
PID 1320 wrote to memory of 2592	1320	cmd.exe	86
PID 2592 wrote to memory of 2740	2592	cmd.exe	88
PID 2592 wrote to memory of 2740	2592	cmd.exe	88
PID 2592 wrote to memory of 2084	2592	cmd.exe	89
PID 2592 wrote to memory of 2084	2592	cmd.exe	89
PID 2592 wrote to memory of 3528	2592	cmd.exe	91
PID 2592 wrote to memory of 3528	2592	cmd.exe	91
PID 2592 wrote to memory of 652	2592	cmd.exe	92
PID 2592 wrote to memory of 652	2592	cmd.exe	92
PID 2592 wrote to memory of 2392	2592	cmd.exe	94
PID 2592 wrote to memory of 2392	2592	cmd.exe	94
PID 2592 wrote to memory of 3380	2592	cmd.exe	95
PID 2592 wrote to memory of 3380	2592	cmd.exe	95
PID 2592 wrote to memory of 2476	2592	cmd.exe	97
PID 2592 wrote to memory of 2476	2592	cmd.exe	97
PID 2592 wrote to memory of 2516	2592	cmd.exe	102
PID 2592 wrote to memory of 2516	2592	cmd.exe	102
PID 2592 wrote to memory of 1476	2592	cmd.exe	103
PID 2592 wrote to memory of 1476	2592	cmd.exe	103
PID 2592 wrote to memory of 1124	2592	cmd.exe	104
PID 2592 wrote to memory of 1124	2592	cmd.exe	104
PID 2592 wrote to memory of 2036	2592	cmd.exe	105
PID 2592 wrote to memory of 2036	2592	cmd.exe	105
PID 2592 wrote to memory of 2124	2592	cmd.exe	256
PID 2592 wrote to memory of 2124	2592	cmd.exe	256
PID 2592 wrote to memory of 2116	2592	cmd.exe	108
PID 2592 wrote to memory of 2116	2592	cmd.exe	108
PID 2592 wrote to memory of 1408	2592	cmd.exe	109
PID 2592 wrote to memory of 1408	2592	cmd.exe	109
PID 2592 wrote to memory of 4484	2592	cmd.exe	110
PID 2592 wrote to memory of 4484	2592	cmd.exe	110
PID 2592 wrote to memory of 2800	2592	cmd.exe	111
PID 2592 wrote to memory of 2800	2592	cmd.exe	111
PID 2592 wrote to memory of 4324	2592	cmd.exe	112
PID 2592 wrote to memory of 4324	2592	cmd.exe	112
PID 2592 wrote to memory of 3228	2592	cmd.exe	113
PID 2592 wrote to memory of 3228	2592	cmd.exe	113
PID 2592 wrote to memory of 5028	2592	cmd.exe	115
PID 2592 wrote to memory of 5028	2592	cmd.exe	115
PID 2592 wrote to memory of 3752	2592	cmd.exe	118
PID 2592 wrote to memory of 3752	2592	cmd.exe	118
PID 2592 wrote to memory of 1072	2592	cmd.exe	119
PID 2592 wrote to memory of 1072	2592	cmd.exe	119
PID 2592 wrote to memory of 2444	2592	cmd.exe	120
PID 2592 wrote to memory of 2444	2592	cmd.exe	120
PID 2592 wrote to memory of 4848	2592	cmd.exe	121
PID 2592 wrote to memory of 4848	2592	cmd.exe	121
PID 2592 wrote to memory of 1320	2592	cmd.exe	124
PID 2592 wrote to memory of 1320	2592	cmd.exe	124
PID 2592 wrote to memory of 4156	2592	cmd.exe	125
PID 2592 wrote to memory of 4156	2592	cmd.exe	125
PID 2592 wrote to memory of 4020	2592	cmd.exe	126
PID 2592 wrote to memory of 4020	2592	cmd.exe	126
PID 2592 wrote to memory of 4520	2592	cmd.exe	128
PID 2592 wrote to memory of 4520	2592	cmd.exe	128
PID 2592 wrote to memory of 2600	2592	cmd.exe	129
PID 2592 wrote to memory of 2600	2592	cmd.exe	129
PID 2592 wrote to memory of 400	2592	cmd.exe	130
PID 2592 wrote to memory of 400	2592	cmd.exe	130
PID 2592 wrote to memory of 4472	2592	cmd.exe	132
PID 2592 wrote to memory of 4472	2592	cmd.exe	132
PID 2592 wrote to memory of 404	2592	cmd.exe	133
PID 2592 wrote to memory of 404	2592	cmd.exe	133

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DONOTRUN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\DONOTRUN.bat" auto
  2⤵
  - Checks computer location settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Autodmsnap.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\Temp\DONOTRUN.bat'; $Shortcut.Save()"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2084
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3528
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:652
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2392
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3380
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2476
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2516
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1476
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1124
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2036
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:2124
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:1408
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4484
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:2800
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:4324
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3228
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5028
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:3752
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1072
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:2444
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4848
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:1320
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:4156
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4020
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4520
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:2600
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:400
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:4472
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:404
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:3512
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:2448
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2356
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3120
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:820
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4644
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3140
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:2384
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:228
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4260
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:324
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5144
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:5164
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5196
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5212
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:5224
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5276
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5288
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:5388
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5496
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5556
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5608
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5616
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5644
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5756
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5764
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5772
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5852
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5920
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5988
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6020
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6088
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1152
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3140
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:5216
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4452
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5296
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5460
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5616
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:320
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5164
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6064
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:5580
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5592
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5968
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5516
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5864
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:2124
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5508
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6132
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5752
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5708
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:964
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6208
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6224
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6232
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6240
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6368
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6424
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:6480
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6488
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6584
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6592
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:6600
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6608
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6644
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6664
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:6676
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6824
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6960
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7080
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5368
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6196
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5752
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4076
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:6468
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6748
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4432
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5704
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6180
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5720
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5740
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5536
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:6568
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:5376
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5976
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6856
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5532
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6464
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6048
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6788
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:3720
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6308
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2124
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6548
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5536
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6840
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5728
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:5736
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:4876
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6352
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7232
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7352
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:7408
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7472
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7492
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7504
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:7516
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7536
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7560
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7584
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7592
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7600
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7608
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7620
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:7628
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:7636
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7644
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7908
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8008
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8020
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8104
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8112
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:8144
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6548
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7316
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7300
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:5736
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2456
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2896
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6828
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:6920
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5256
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7296
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8044
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7844
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7728
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7272
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8180
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:7064
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:6828
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7184
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5272
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:780
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3740
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7332
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:6160
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:7900
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4992
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7524
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7532
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8088
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:7292
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7260
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4288
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:1480
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:220
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2992
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6308
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6828
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5296
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4148
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4288
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:4992
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4656
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:920
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8196
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:8204
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8212
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8224
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8232
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:8240
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:8248
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8332
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8532
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8580
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8592
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8600
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8708
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:8772
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:8820
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8848
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8860
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:8868
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8876
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8884
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8892
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:8900
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8908
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8920
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:9136
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9192
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8476
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8288
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8268
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:4744
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8584
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4592
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8872
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9104
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9020
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8012
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8944
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:8784
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8608
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4560
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5316
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:5424
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:5636
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4288
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7396
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:5816
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:5804
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8280
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7036
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8988
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:9056
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8956
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9212
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8908
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:3536
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5108
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4448
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:2164
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8612
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8576
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8780
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:8484
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:9236
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9252
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9288
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:9344
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:9356
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9364
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9372
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:9416
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:9440
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9448
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9612
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:9624
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:9640
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9652
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9660
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9668
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:9676
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9684
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9776
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:10008
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:10084
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10232
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8832
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8284
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:7120
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8420
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9344
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:9436
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8688
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9712
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5956
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8824
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:9564
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:10088
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6508
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6820
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8472
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6512
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:9416
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6192
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:9448
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:6956
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9844
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6636
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6980
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5528
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9624
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8420
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:1944
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:1460
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:5100
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:428
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:3992
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:2500
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9568
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3208
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:2888
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:9576
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:636
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5248
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7844
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:3408
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:440
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5400
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9032
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:6664
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9404
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9748
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:4960
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6120
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8940
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5192
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9488
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:3428
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10020
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5136
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5484
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8968
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2936
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3300
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:2604
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:2160
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:7132
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8068
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:9588
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:7008
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3596
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:180
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:4652
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:9456
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:3256
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7112
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8500
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:7684
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6388
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9112
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8304
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:8340
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8704
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8872
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:9844
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:4468
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:320
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4588
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:8172
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:9220
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:8560
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5436
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5908
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:10188
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9340
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:9932
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7192
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:10104
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:2092
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7308
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:1944
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:7936
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9228
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7152
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:2120
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:3256
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:5372
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5908
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:3760
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7072
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10000
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6848
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:8912
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:3008
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7920
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3220
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:5704
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:6500
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:9528
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7676
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Modifies registry class
    PID:5092
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:6112
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7508
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6336
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:4356
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:2464
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8820
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:8976
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:9244
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:3716
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9136
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5724
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6772
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:6704
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8636
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2092
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7640
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:10256
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10372
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10416
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:10488
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:10548
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10588
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10608
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:10644
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:10692
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10756
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11060
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:11164
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:11172
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:11180
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:11188
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:11240
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:11252
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:9504
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2916
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:11108
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:11164
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10684
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10676
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6544
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:8252
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1068
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8140
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7672
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5044
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:10752
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:11164
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:10732
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    PID:5964
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8792
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7820
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8164
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:7436
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:8404
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6808

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11332

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12144

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:10944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:6636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8164

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oofncgg2.a0k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
b0776c45a2527d7f38051e4c309a363c

SHA1
5ecba94e7790e96421bf962c1915e2d96ddb9b9f

SHA256
75279680126a79c64b3c0f46aa16295de97c92bdbeeda03718c0f0443a0cfe9b

SHA512
1745abc7294824a599d6c38a1fbfc4475ed4a6f4477d9791bdeec2f4a0f077c0fa2f544d52f4829a9de6225764100c6121c1b482f7816cf54c6af0ad3b64a260

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
d6a902036e05568a352841dffe345b39

SHA1
db2e505111cb172a5b43f215f8289bea31ba5e48

SHA256
660e30606b3977c837400d028960081cfceb1fa9b2b809ae381ec9566d4f6a5d

SHA512
ae4df89049d19f94115e6fcd31cd6a856b42fcac346bace8148c613fb1b4db89fda9d91f637b9a8153877b22d960978893605e203488210164ecfd08fff63068

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
bf4fbaa9f3d804061c73dbd0a7b9728a

SHA1
4935f4a5fd57d938c3c755e0eba83131e63e37e6

SHA256
fb201e96e8d2b3ec67e882b121a776bc992b6c8cef199ad8835707e1d56a2d80

SHA512
d1512ddaa62d9d1c72e3694f4801492ef1ffc005afb59dffeda561c8a5cbee9335caf10cf140458ca2d474481e9dd3cd4fa968d2286f082b25a464e256f1a5dc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
9f9c4550bcfc980bfbbce66ead385ad5

SHA1
cea084261fb38afa7588e827d7955c98f990dbb4

SHA256
80f968bdaf387353878e6416647be5b14ed42556e3a509e5918e8193537643a0

SHA512
1cffb765b1f2df16c113c6f8394428004f69f3607a3d8a858e36ccc5fc4a1d745d5b804197f30a703c24b6efa4f7451f2566ead1129947237be37c35be322833

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
0b6aebfe017a6756bec1f4002a67a0d6

SHA1
579b48cb7190c13511f1ad7bac3a8290fdd97a0f

SHA256
7c83e02b84ce82dcff809dd45dd7e46470f20792ba83df4433e6dfa65206009b

SHA512
a4b657bb7e66950d82d5f70f5fb6a4938d3ca2af0e3d8c009998d22047b35cc151de19560454ab0fa79b9a07ce51e37b8dacf837eb3bb47d0fc19e8ae2012d15

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
839c45d0a18a3bc7fc52d70d806812bc

SHA1
40e0f65ed8d4220faeffdc1a870f5127531a67b6

SHA256
b83b326d65b3886b084488d83919a66ac936d1f2d61df399b78d21b62e32f511

SHA512
26818cd25a7f1a540119e1176fb04dc4ddf382fb690e8f5a1fc37d1e7c0605122b287dcd926066cf68455d0ec415518548608841b99bdac0a3fcc50826e90f9c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
31c75553da7d06e1445ef41c67464d4e

SHA1
c7464a86fa0f8c907aeed538e8ddda6ab88e643b

SHA256
f9995563aa5cbef19f45f2114b4557870dbfec072a74b80724c9e816bbc4d68e

SHA512
7a35c9b7ce6e5e6204cddbded44f691b980e271a83e655c22ad5cd283eec9ac73b8bd416dc99ea0129d96132821a6223eba2b16d100e31be53af63aa63484613

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
a0057cc3a07ce60ab0e04b9a84e688f2

SHA1
9a58e6ba6e0ac0772333273d442a1db23d205926

SHA256
73367d9f8c36ab5bab1d56f703971c0464e6c3263a030920fde138450419339b

SHA512
6cf0467e35d3e9e2870d9a703d3c385d2d51bfd3999f592ab349d83faf6148217838fae545970aa927bf83319fe6f721901be9d59ed0cab3625ab3e795ed7ea5

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
984f2d15ed8607886e712b2b6b1e3082

SHA1
fe9382193d053cff996234e44a35382c0eec92fc

SHA256
6ec6b6fe29473eaec066479415a647d6ea29e5a6002e658e6d567ace6d561d3c

SHA512
871e510e40639a8d9bde0586c99b5dace76e421232d1ac502a34a68bff9666fe115299d3695369c572a5a6720bf49fc03d171491cb171eb089c329bbca50dd11

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
065faf415dc7b0c5138d7f084f80114e

SHA1
99a9344d1aed697ae5e10155856d9dc64ae99290

SHA256
ed8e79dddac9bcca1af1be634f3b31c48da321d3ac8169d1ae678663f797b1bf

SHA512
b310b8154d835953796a597cf014be13aea073d861a247f558bc048fbfed7d9f948ec1d1f0bffa8c7ff82d250212792f594a7bffec4c9a8b57b5e0acfc6fb6a2

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
16KB

MD5
b5f1f4c960f2fb7fd5cd851790cb8637

SHA1
63c6a624c81463714ac0e01c893c65832904f323

SHA256
53979a2b77ddc704729b01c3072732035433868c5a3e0b94625fef724d0d4027

SHA512
68c87f55b21e3f4eb9aeaf23f0237bbcee8d5a8bfa37c47d20d1891f1fdd5f24f1851b92b29be667e13a544f64f94ea2b804aa9ac36772ad6abb1979d40943f1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
248afb1919a5b4297bd02aadadf842ff

SHA1
05ef4d2c819ce8d803722579de96bb17a30f58c6

SHA256
9b3e1f60c2121649708c3f3047a54b70905bf3d9e488b6866145bfad97fb84df

SHA512
6f2492af33b9616deb4a2077ff8e8da5c7d143b8c1ed4d572ebcd0b296a412b36ef11eedd9e94167b44bd63bebc8d899522a87a709fc568fa8f67f578e3cbd76

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
19KB

MD5
05d18ce38766e5d1f3d40c21e2355639

SHA1
995faf26c6bb5c07fc5e5449650febede3fc309d

SHA256
853562566659a37fe858e5a84421d79a714c87b1aaca62cad9c82b7949786ba0

SHA512
a422bde4e7afbaf5246f16ecf326576d99d3fddbf7133f6336af3b12435bf7abe2b327ab800eaa9e20a03c0f13b5edee4f8cc5d61447806de6b1320e27652fe9

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
220c677a5b4f733f2421a86b6c5bfde1

SHA1
cfb8456bd9b04e11bd24948aa2cc19050b751b9f

SHA256
395e4320a467b5191cd7b9c6758285a79596b39e53be524f4f8766c580868435

SHA512
6270198b47fd87ef140fdf6309b40f5f098b56cc93e749f0f9dc40fc2e4b07093030faa80a4c83bf0004d4bebd59a13557ed5121df9b2cdcba51d6a77f32ffbd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
22KB

MD5
b8b8737d2a7476f440b6997b99e494df

SHA1
6a96c066ab76057f01ed06f1ba754bbc53b155bd

SHA256
31dacc070c3f68a6dfa5b13ac3d8769f7becda3db32c2a00190b44d9bb936435

SHA512
c2fea4382faed377bdecb3c369087ab3bf3c719fd6a7aeeaf13a3a26dd6dfc323eea91abf1f8947b4e6af1420ab6ad6500f84726d619fa56f441fa4f19c739cd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
0ade3fd71be9c803e567c6f0910c2480

SHA1
9944c8d4542ee96b123dbc721b4ed4392e24e337

SHA256
363a09f62979f2e9fc3279b0670db8f108d85afb5f4cf0ee4ebd1599e141c853

SHA512
6f6807e731efbccd97fcf76a5a5abdce76a181fa2d5fdfc0ed686a3d81152d3b7286b728064864b14fb977f108923db44b787b3826f7542a8b6d4ef83f0e0f15

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
1a6dbae8ec22c48b406653008a11334a

SHA1
c2fd16db8ec48a29ee1b0646ed057d49b12c25cc

SHA256
47484c72df68840581a0c6fe59b6f4d2e898536ee7985a6dabe80bc4d63d4ae6

SHA512
4d1dba3939986e86492f3330afedcc7e5dcc81d20fdf607ea7578e73cd1318cb99fa01f3a92b0b1d5ea2495a10ace680db903d5bf7ccb347300cb2c4a5a8766b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
28KB

MD5
38a2604f75b641edb83c8f27e32aa5dc

SHA1
d5d74b2d1b0275fd9a7cd60650be4666a681b42e

SHA256
75b186e82d44056d66f3501372fb21f73a907ecdad5e9adb9ac1cc3df16e12c9

SHA512
39889cab52d31b6b0853684a26ee6d1e0f0ac02c32cb4d343f3ae2168c1acbcd140c695604b6c32605607d17b8038f85da9d4cb8b6fe123223501758b0538994

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
78497efed136daead2cd1a4a8ff01339

SHA1
7270b809810f339840a861a0b54c2ac7f7062274

SHA256
6ed6ffc571769c0b55d5dfecb052eccd34bc51ffdf196fd0c24ecb19563e105b

SHA512
e673c04b93ff52f66829de9d4faffd0bfd49f959f9e1b1f3d71710946dd5938afd5cbbfa2007928becf21c38b39b5cc57eb7c721d48e2b19553bf57d47b00ac3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
31KB

MD5
dce5e7183c8b2a840dc3a7fad935f368

SHA1
97391a4ad7c1888ce4edec90679175e0c4315d33

SHA256
9820b25a8d5c1a9bdd6cd2d1c4eaeb650a050be92a6c9568dad3fa089c2a27e4

SHA512
f0c664af08e88af8c9ec477110d710af14b432c789a54c4d0d173eb481c6789fdfaf2546238388cbe3db26461d5ebe55d6fccccf7ad92c570aed676785308bd7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
4f04d26586f8d8a8177440f1bc3a5b06

SHA1
c9d1e834d8b08ee538aceab0a4e4c91e00d2ae21

SHA256
e92bba2df3a7dd7c62166c585f333fdcdcac0a6457d18f25e5b77d28948e0408

SHA512
d33a76a2b26fdd4f9c67a2f905604524d76f37256a0bc364ad973952ac0149d8430fac2c7fe40aee747510b0f3b93d3bb06a23c904822cc4fc5dd4d39a5653cc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
35KB

MD5
ad576cde7d5f2fc33f5ea4237f53a1b1

SHA1
7b64471fedb9f8648ac18d7b4f00c7c3cbb05a9d

SHA256
e16d4066fe8cf38b153f700bd64f953185eb97998e9e24e09a9af13e07565b4e

SHA512
1c1af0b5ab6cd4ad8a7641435dc934c044f83da6be47956db3aa0c0b9074ac5b83a8845b90b708f2067c66f741d186fb1c6985a9cb0e21ffd62e60451846a4f0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
13a0d59f7103d55c8aef26af79c9b660

SHA1
15f8a425e067316dd707bd773a8508252cfc0636

SHA256
40c53a99511dcbc3fe5c91a5258a4baf9106c01384461c62070369461181cc9b

SHA512
f851a896b5481620c6fc10062874d048bdee8b828a43df200c8d54c6547bc6fbedf484409fd56278e2e328e9ed62b095cf532007543a228d61d7aaf1ebb7d1c3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
38KB

MD5
c635a300ff0e1febc1330d643e7ad679

SHA1
67a7309a57ec1d375126bd7899772bb5a52cc044

SHA256
23aa1fba14424df5992439b0f61d9cb5c780a08ffb82225fb1d80c7ead5fdbd4

SHA512
a44db8355d9477cefc8b1b0982928fb04fbdc0b80b4cace5da917af6222bd43265f161aafa7605fa33d70406bffd5e9e2aa6f15f2d578b9ecdd1267d40103c9c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
39KB

MD5
7655fd3933cb7a0d9869ea041b85757d

SHA1
33d74db065d323eccdc48b6f004a7b0901ced186

SHA256
b70befa1e703c7351cd41badd646bc41f2352acfb68589cceb301284daf5adbd

SHA512
6125476faade99cfd747ccf0d702cb48c2a15534b8761ace0315ffc243868a04962a10a099a7a6521f90b56d63c1da595305be499e125e00bbc504aef3507942

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
41KB

MD5
7cd5ce52c513ed68afeed46170dbf2bd

SHA1
734025a14a3ebb65649279e2fc9387b6398e507c

SHA256
e755e728a6711dee62f60842320c4b7a008da25ac8a6de8b54336e6e4916673e

SHA512
d6dc243867c7f1f0d141b592f89c53b964e0d92efdc0fb233314a47fb4facded3cde67f44f659c8094c6f046afa5be3e57362980b43e92e8bbfe6c094cf28127

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
2412d42e4dc291af030e904bcb23db36

SHA1
870de480b45fac55348c3c2e27c66b78cc4c19cd

SHA256
343d5c285a45188a204ad8b532908f2ed043d88365817c1d0e174abedf2a4557

SHA512
ef655f875cf10f73048ba435964fe8d4787f1a22eb3e93308cc795e584601fe18d462c509f61102fe7e9b582638921f515dab1e63c2b166a30c6bf8cd31864bd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
44KB

MD5
c36c262c027fd68941b03eaead8b2873

SHA1
aca5cb72e2f01f5d59804216638b382da7cf5f41

SHA256
e23b9655e5f5092a60986b981ba79e30c346b912da87ee890eb74f1fb2fcc84c

SHA512
2cdd58c3482d6d28a6395ab863bf3b4e7606f8081c663942b4a50ea4d779a53cd46df6130de1b1ef9793616eb80b21baac1ceddbf4df03e73d3bb2c0749cadc6

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
45KB

MD5
654d4a7de27d265f32fe039cc6a11b0a

SHA1
57b91714f4364627d299d08eac819e594d00618d

SHA256
947b05104e3745061132d4dfc6d153753d1384c9b4fcb5e2a9f26c913a54276c

SHA512
38fc0db43eadc12bb70ec153852b200bc6c1901ce79be36c406d36ac062a56e4be1b3f666cd1d9af3d1f7fe7a86f3d4fdc50b273e607dd78e2b6834b2d92f0e0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
47KB

MD5
505997eecef4af685f9141b27bb1b348

SHA1
a047fd597a4cd7d73c0f5938b86e16d1d2e40766

SHA256
b080856f8d46ef79cb7166d07094616e678e9133ff84cca15968e625bf7d51df

SHA512
15fa5cb3aa1750a4212fa5cb53f6f14f4fb92d5f32e065a6cc2177a9712d38950c4a06b766610c5c49957b0229bec10c8a67b3b94f61196c581d3f39dd4e66d4

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
48KB

MD5
f95e845fced1ca760055ab0c7cc2dca2

SHA1
ba59170a3a836b4e74d2951c4c9af8dae4c54e09

SHA256
3fb7b08bcc9a082d4597cde63033cce4dbbb6af270a8649b100f945f84a1a147

SHA512
e369e473fb5da2bde99aa9e2fda56c4e9b722727ec45ca16350b34394dbada8fb8d8799129795993224663c96fe3c3bcb10e2dbebe9b9b6aa3647bfe4649eb08

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
50KB

MD5
1a08dfd93431818462214cad9b97c9ed

SHA1
50ff364bb71823c345099b6455bdd815c2ea28db

SHA256
924e4d821d9f4d9772a75d620c81fee3e9998d073c4aae86609a608574301f64

SHA512
e4ef4efb2789b8c8166c16c4b3ffea2c0bd00593bcc1f6150b99c09b3ef72733a122c9c335d889d651083195a6241913bddba53a8d7b89fa6ebb00aefed4611a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
51KB

MD5
e9c7aeae7e3ce83b0e9e7dbf7ee96bd3

SHA1
eb046afa439899b55f64cab899f0b5ad610b5c4a

SHA256
a6deec5a6c068d3cd62ba54e9b1f2f759aa8fa2e3c5109be99bbd56713ce1b12

SHA512
e895eef7660c10d5a6ea0bfe74a5fc7ec49d43adbf1267ef0e16799e420e1a5e814ac0e710bebc21f19f5dd1557c3aaff481e55c919416c9e9b75f670ec6aa3c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
53KB

MD5
a585143ccc1a352007a65bb347e05235

SHA1
20c0d92ce3e56e89f14977d8bba6be5dd295f394

SHA256
0d64f03568cec54ca73afc1eaf70460317296cd9b43d517557ea6f1f2b9e1089

SHA512
c88e19c04f6b8e6194290111faae82a67ab1beed4bfe3d65aeb100932868cd496324de6dece289a68a40548c888c34e0ada013e24e547ffedb22f64a8b52c309

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
54KB

MD5
ea3f130d365e9b260be61ea9eee6a62b

SHA1
c1147d5548542f545e1773fbf6f8cd8654cca5b2

SHA256
c582b7627f410353819d16dace365671ccb3cb55404393f3545be4e24ef588de

SHA512
ca206fbb5a7629670ced57df0fe3765ee2048d2794954da378add398064e4596294343b392035e58f4447b50cdcdd037f953dab79bd1cbd881d2899117bef792

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
56KB

MD5
6d7b0270ebf9815c8009c54a35eed015

SHA1
8694964ea5606808d0b929a2c3639ba3cabb46e0

SHA256
cc4f2cef3b6a3da895a8c28f8e00fa2d68d56c45d6833d58b79eb4ddade70676

SHA512
0cdc4f83e581b541ccf52783bd56b0ff4ea4ea6d00696dcae1bfa000227f7081490ca564b42621801002ec77aa5455ac7c7380cf240d304aeaba16269a83a5dc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
57KB

MD5
8e6dfb37c0484b524fb0d3d27f64503d

SHA1
9ba28097ed6dde917b71e7b43e484b9375192de2

SHA256
9915825303243e2f7640277f84d8c0023fdc8f7d2ce36972dffce3e4d6813bad

SHA512
788d0bebe5158bdfc73e9f9502fcb082cb0ee08dda0619ccac132d548807619047d7a13adf1d3faafb44d0a983f69f62c483ca38459cca8017f06d45684b9131

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
59KB

MD5
b47cd37ad7653c6ce127f3c1279b36dd

SHA1
a2f12799bde25311e27e39da0ace1c923338880f

SHA256
256f20d7c599b9f26015cdbe85831888043b926bf5df2a81088a5a1bca4fd4af

SHA512
94d268dd48f2f2409c5f0809b44eeb64704e022881cd1a19c4b66b6836af7f4e898e25d5c7a9f435fb157ee949e8733034961f89072122369e685ee67c625e75

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
61KB

MD5
06378b26057050208ef63c3f5f6cefa2

SHA1
990c7a2bc3cd0af90de4d3fc5c62b409a4523f5f

SHA256
f8c269207e71afe2c63eb2b13a767b6d015c626e76f87ad38a2fa907121afbe2

SHA512
323a224b549485a87c73d3812811ef515915b353e34ef7643d71ebed9f32ae3819c5392f6cdff2029cd70e1fa8686b23acf206f41674b7f0ec5833c9becd0928

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
62KB

MD5
126a336a604b24e09652170fcb44465b

SHA1
f5003c823b1e168405633685ec461570fafb8fc4

SHA256
e77ea29e6b9b077f5ac9a6dba96ca4f9fc010bd1197810f7686386653d97db36

SHA512
48cf483ced985d8308cebe1a33366afe6ed68a3cf995469459db6e81e6488247becd5008967dad04e861c7898218659c5bc6fa5cea5b4044689a41693da9c6fb

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
64KB

MD5
7e2b462b0c950d9b157a581dee501ad0

SHA1
fe73ab1d4315b59003e0b155465503cb8aa396a9

SHA256
4e34e0661ee94c1b651d070b1e6afc3c827cb277821242363439740a592e3ba6

SHA512
b3d6c17c53bc54eed429586666d9fb04c90751423d85f29c19c0d2cedf107374a91cb0bf68b94a88ccab34e0a31b858a5e5669316fa430a06d1d547803d4b8c1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
65KB

MD5
87efdb104695177daef34a92d0dc0c18

SHA1
467c69b600043d24663de0d89789bf6de5c334de

SHA256
68a483597315a43ae88147c015fadd04bef21bff5207c00efc4c8d1b5dd31c66

SHA512
abafabb1beb41fa2fa1ff25574971f03487215a59c1492863d20cbef07ac555efc0a0ac1c6fe287f13119080cde68cad7aa5bba3f170c71d76d2160ab10977c3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
67KB

MD5
956aee9abafaec42ec1137ddd03bb190

SHA1
4866728c24660637c89d2321b0a55244b17ba665

SHA256
3fde51f29deb930490b7d5d98c098807b806a6ea3fd64bd61d908dc3c7436d49

SHA512
c3dbbddd61cc34d04faf45ae67126bfe071f79f7498961e1d38c9df60ceddc22ecb3010cb4acda2aa0067f9e6c9947a36436a0f309689bba0e510c29bee35632

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
c5d48390a69dcaf88388b098cde38dc0

SHA1
59b58bab346d384902fb36904ff58a4257b5b961

SHA256
17b17925e580126903eda98fb76dfbffc7b5d704752d70480cc96e3d97ed8632

SHA512
543a446ebb22a6973cff9f5f84a08f3ca42c11bd44667d03024fb96d6295e7b410a71f66d4c234cd78a95c659a45619a0144cdeed1b28dcff3a3ae0d2ccf6e7a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
70KB

MD5
2edfbebe67a384056cb7695fe5781e75

SHA1
5aac94441d013bb686519839b779e069ec101d16

SHA256
273e9387aae25c897026bd680eafdce7aff04f2c0b817af5e8240e4b207acbca

SHA512
d96972e79465d9c7c8c1a74d6e89d2654db0106c254034d7113a003220ecda3de4c6382496a53a851633a316fd4ac202bb9a736157aa047e016f1ba7bb07de32

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
71KB

MD5
99a52e98cad74f388c26f75bf230dc0e

SHA1
63f05223b813ff27f47e5989d5a4388daa25191a

SHA256
341398326843b00cc79d546204083e6999ab124d6fcc216229752daf1cb0c943

SHA512
63634b795c8fecf2874e4b7e1d6f6e44041f6c41ae28b221831648e0a693c3cee167e304f02d20503e711a2f81460e9390888f5977bc567deac0ab30348d10ba

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
73KB

MD5
9678343455c7a37ed30c1772368fe953

SHA1
907f886dd087938af36feecd496986ddcf7150ac

SHA256
f94f3a1b4c82f225a941fdc5d40b5d9d8e80f9dd5bd0b6fae29eba5f5cc0b4d7

SHA512
a3be2651b5ada7ffd38f8a932e7cb1b30eff93413334df5ab4762cd3e3b747fc171535bf26d566bf9c3da81cc7b5224ba5792f4e82e2a78025c61049678b2316

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
74KB

MD5
cb8057012d00fdc54c7a129267c5d678

SHA1
46521dec33d9feff427998de8a50dc1963629fec

SHA256
dbf72584faf432b73817188bd063562b4beeee03f2de8b159dffdb71954759fa

SHA512
e671c73167ff29ec2d6a305abe1c948926331edd627b3ede0313ca55089b483d9a71297d0134b7bf81cc4881b427f50d69aa82582edb1ef74b6e2ad389d9f8e8

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
76KB

MD5
7841416120d70c671ca3498ec8ee0f52

SHA1
a471d71c360cd24b17228d4a5c030d2a3a8d6baf

SHA256
8c990d38d254aaf8f1be571d41e9af4efb213db377ad237fc7f4e99bc5f6f175

SHA512
88cd4a1a5a8db9bee969136d9222283179546c4f784cd749b22cf8b57cfca5c16b6aefcaf2e69e87c4e356711d13613a6a96f30afa70f39f23a03e4a2b7c31dc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
77KB

MD5
6f80058441e77213a4d10363fe826886

SHA1
b0d238a5c206097d290bd2a59b390f006749a967

SHA256
74141f093c9078b2e7933701663ce41f8247a412f4f63d30ac550fc821447f4a

SHA512
d4a27d5278fef4d6de1d699420d18116a292de41f07dce557c29bb97fdbe82e4aed2c522d5c95debcfc1acc6a3ad059c27590fd19812a9081392411e0e029d06

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
79KB

MD5
9490121541ed941f64779fd59f49a4a2

SHA1
12ab99e2f7e25c4c7d1ea361b663a5afe31ffecb

SHA256
9680496e44b7422061703a7744ea0c1702921211ae95be2355aac6d756aa940f

SHA512
9920155b1b493a850e5bf85b1bec0f35b85f55a04babd1cb340059155878ce86c030361695c54fbecb91056bf5c38e427a56228349953f911bf83dffdbc3d1aa

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
80KB

MD5
58fede3cbb7fac204da8b77d147d7a50

SHA1
2f83cad5365e5594e9f97b9fccb6ff2ef049d900

SHA256
a77df973d9e6c61ac572a21b91414c8669ca21b4c9c70c85b554d13d4176e788

SHA512
e7eafca04ce74e9bd8187c5b0d57e14adff7cd9acfa933582a321eac69349054d21826b3308259455b57d751fc1c093bd59f591c6a54637993142c4eab3168a7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
82KB

MD5
42e5580526c6f91bb5e6c85d30c56a41

SHA1
8539ed1f68e2fe03c363adbb50c97f1800d0046f

SHA256
e7e418bf56cbfb95f95817cb6201802c5f04a6477f13eb867b5876a23793f956

SHA512
5465e851732e37869f2014665ecb21c476da8dff20a91b0ce6dae14842f6fa63a27e887935642eb5ebd2728edd0c1d367176a6a06ead5d53a8fb04447ef18092

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
84KB

MD5
31b56410faa459af1acdd7f759ea60c2

SHA1
86d22f558b8cb27a465565050712398aabcf32b3

SHA256
e8bbf4db3c1edf77f8d1c309f82d0febc1d98cc361f659ec93693b08dbba9ec6

SHA512
3037a7962993101a594dae0b2c79324578aa32b5564257b823790d691b7860e99ce28125e199629204728654de2a69f2c12b54ae71dc3dc0c4537665c5af7784

Download Submit
memory/404-87-0x00007FF8306C0000-0x00007FF8308CC000-memory.dmp

Filesize
2.0MB

Download
memory/1072-89-0x00007FF831340000-0x00007FF83172C000-memory.dmp

Filesize
3.9MB

Download
memory/2516-30-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-29-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-20-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-25-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-26-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-27-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-28-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-19-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-21-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2516-31-0x000002664C000000-0x000002664C001000-memory.dmp

Filesize
4KB

Download
memory/2740-0-0x00007FF830C63000-0x00007FF830C65000-memory.dmp

Filesize
8KB

Download
memory/2740-16-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download
memory/2740-12-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download
memory/2740-11-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download
memory/2740-1-0x0000017DD6900000-0x0000017DD6922000-memory.dmp

Filesize
136KB

Download