hxxp://jk | Triage

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Explorer.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 41 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "31"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "a"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	Explorer.EXE

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	regsvr32.exe

System Binary Proxy Execution: Rundll32 1 TTPs 2 IoCs

Abuse Rundll32 to proxy execution of malicious code.

defense_evasion

Rundll32

T1218.011

pid	Process
3060	rundll32.exe
2516	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTES = "C:\\Windows\\system32\\StikyNot.exe"	StikyNot.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\31\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1001\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\a\Contacts\desktop.ini	WinMail.exe
File created	C:\Users\31\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	WinMail.exe
File opened for modification	C:\Users\31\Saved Games\Microsoft Games\desktop.ini	solitaire.exe
File opened for modification	C:\Users\31\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Explorer.EXE
File opened for modification	C:\Users\a\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Favorites\Links\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\a\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Favorites\Links for United States\desktop.ini	mctadmin.exe
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Explorer.EXE
File opened for modification	C:\Users\31\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Local\Microsoft Games\Solitaire\desktop.ini	solitaire.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\AppData\Local\Microsoft Games\Minesweeper\desktop.ini	minesweeper.exe
File opened for modification	C:\Users\a\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Desktop\desktop.ini	regsvr32.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1002\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Contacts\desktop.ini	WinMail.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\a\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\31\Favorites\desktop.ini	regsvr32.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1001\desktop.ini	regsvr32.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\T:	mstsc.exe
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\K:	mstsc.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	mstsc.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\K:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\R:	mstsc.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Y:	mstsc.exe
File opened (read-only)	\??\O:	unregmp2.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\a\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Control Panel\Desktop\Wallpaper = "C:\\Users\\31\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Control Panel\Desktop\Wallpaper = "C:\\Users\\31\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\a\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP	ie4uinit.exe
File created	C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP	ie4uinit.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Explorer.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	AcroRd32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	chrmstp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	chrmstp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	ie4uinit.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	chrmstp.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	ie4uinit.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinMail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eula.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinMail.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1956	SnippingTool.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Explorer.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
692	taskkill.exe
1784	taskkill.exe
1128	taskkill.exe
1308	taskkill.exe
1196	taskkill.exe
1048	taskkill.exe
2704	taskkill.exe
564	taskkill.exe
1376	taskkill.exe
1308	taskkill.exe
2232	taskkill.exe
2184	taskkill.exe
2816	taskkill.exe
1500	taskkill.exe
1740	taskkill.exe
2672	taskkill.exe

Modifies Internet Explorer Protected Mode 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	ie4uinit.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\10	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\34	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\21\IEFixedFontName = "Microsoft Himalaya"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\24	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "yes"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\GPU	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Plantagenet Cherokee"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\32	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\19	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "yes"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Main\XMLHTTP = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\IETld\LowMic	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\23	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\New Windows\PlaySound = "1"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 70b70653d706db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\21\IEPropFontName = "Microsoft Himalaya"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\12\IEFixedFontName = "Raavi"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\18\IEPropFontName = "Kartika"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\25	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\SOFTWARE\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\8\IEPropFontName = "Times New Roman"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\39	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\LinksBar	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\21	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\SQM	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\24	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 00a6b24bd706db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Services\	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\IntelliForms	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Plantagenet Cherokee"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\Document Windows\x = 00000080	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\7	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Segoe UI Symbol"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\Main\UseClearType = "no"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Desktop\General	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Main\NoUpdateCheck = "1"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited = "128,0,128"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Document Windows\y = 00000000	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "yes"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\IntelliForms	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	Eula.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Recovery\Active\{85EE83C1-72CA-11EF-B5D6-4625F4E6DDF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\LowRegistry	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\SQM\InstallDate = "1726339743"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	ie4uinit.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpeg	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aac	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.avi	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B689B0D0-76D3-4CBB-87F7-585D0E0CE070}\GroupView = "4294967295"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 03000000020000000100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\midi/mid	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aif	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.AudioCD\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\3	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.adts	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.M2T\OpenWithProgIds	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1920x1080x96(1).x = "4294967295"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mid\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/vnd.dlna.mpeg-tts	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell\Play\Command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpe	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmx	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-wpl	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wtv\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ts	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wtv\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.midi\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpe\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1002_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ListRecentlyPlayed = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mp3	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2v	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.adt	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m1v\OpenWithProgIds	unregmp2.exe

Opens file in notepad (likely ransom note) 13 IoCs

ransomware

pid	Process
4928	NOTEPAD.EXE
3700	NOTEPAD.EXE
4896	NOTEPAD.EXE
1732	NOTEPAD.EXE
1408	NOTEPAD.EXE
5040	NOTEPAD.EXE
1720	NOTEPAD.EXE
4936	NOTEPAD.EXE
2900	NOTEPAD.EXE
5012	NOTEPAD.EXE
4692	NOTEPAD.EXE
1028	NOTEPAD.EXE
2264	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2816	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
532	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1600	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 13 IoCs

pid	Process
2408	taskmgr.exe
1144	Explorer.EXE
1652	Magnify.exe
872	solitaire.exe
1984	minesweeper.exe
1600	taskmgr.exe
1824	taskmgr.exe
3020	taskmgr.exe
1564	explorer.exe
2260	taskmgr.exe
1256	Explorer.EXE
2464	taskmgr.exe
2816	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeDebugPrivilege	2408	taskmgr.exe
Token: SeShutdownPrivilege	1972	LogonUI.exe
Token: SeShutdownPrivilege	1972	LogonUI.exe
Token: SeShutdownPrivilege	1972	LogonUI.exe
Token: SeSecurityPrivilege	1356	winlogon.exe
Token: SeBackupPrivilege	1356	winlogon.exe
Token: SeSecurityPrivilege	1356	winlogon.exe
Token: SeTcbPrivilege	1356	winlogon.exe
Token: SeManageVolumePrivilege	1056	WinMail.exe
Token: SeRestorePrivilege	1160	ie4uinit.exe
Token: SeRestorePrivilege	1160	ie4uinit.exe
Token: SeRestorePrivilege	1160	ie4uinit.exe
Token: SeRestorePrivilege	1160	ie4uinit.exe
Token: SeRestorePrivilege	1160	ie4uinit.exe
Token: SeRestorePrivilege	1160	ie4uinit.exe
Token: SeRestorePrivilege	1160	ie4uinit.exe
Token: SeRestorePrivilege	3060	rundll32.exe
Token: SeRestorePrivilege	3060	rundll32.exe
Token: SeRestorePrivilege	3060	rundll32.exe
Token: SeRestorePrivilege	3060	rundll32.exe
Token: SeRestorePrivilege	3060	rundll32.exe
Token: SeRestorePrivilege	3060	rundll32.exe
Token: SeRestorePrivilege	3060	rundll32.exe
Token: SeManageVolumePrivilege	1396	WinMail.exe
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: 33	1004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1004	AUDIODG.EXE
Token: 33	1004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1004	AUDIODG.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
1056	WinMail.exe
1396	WinMail.exe
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1532	osk.exe
1532	osk.exe
1532	osk.exe
1532	osk.exe
1532	osk.exe
1532	osk.exe
1532	osk.exe
1532	osk.exe
1532	osk.exe
1652	Magnify.exe
1144	Explorer.EXE
1144	Explorer.EXE
1564	explorer.exe
1636	WinMail.exe
1416	WinMail.exe
2216	NOTEPAD.EXE
2216	NOTEPAD.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1520	Magnify.exe
1236	WISPTIS.EXE
1956	SnippingTool.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
2272	AcroRd32.exe
1168	Eula.exe
1168	Eula.exe
2816	vlc.exe
1256	Explorer.EXE
1256	Explorer.EXE
1928	iexplore.exe
1928	iexplore.exe
3916	IEXPLORE.EXE
3916	IEXPLORE.EXE
3204	iexplore.exe
3204	iexplore.exe
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2904	2292	chrome.exe	28
PID 2292 wrote to memory of 2904	2292	chrome.exe	28
PID 2292 wrote to memory of 2904	2292	chrome.exe	28
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 3008	2292	chrome.exe	30
PID 2292 wrote to memory of 2068	2292	chrome.exe	31
PID 2292 wrote to memory of 2068	2292	chrome.exe	31
PID 2292 wrote to memory of 2068	2292	chrome.exe	31
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32
PID 2292 wrote to memory of 2108	2292	chrome.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://jk
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b19758,0x7fef6b19768,0x7fef6b19778
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1236,i,10020547764904675825,2075977249057579902,131072 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1236,i,10020547764904675825,2075977249057579902,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1236,i,10020547764904675825,2075977249057579902,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1236,i,10020547764904675825,2075977249057579902,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1236,i,10020547764904675825,2075977249057579902,131072 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1472 --field-trial-handle=1236,i,10020547764904675825,2075977249057579902,131072 /prefetch:2
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1456 --field-trial-handle=1236,i,10020547764904675825,2075977249057579902,131072 /prefetch:1
  2⤵
  PID:2804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2932

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:752
- C:\Windows\system32\net.exe
  net user a /add
  2⤵
  PID:596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user a /add
    3⤵
    PID:2012
- C:\Windows\system32\net.exe
  net user a 123 /add
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user a 123 /add
    3⤵
    PID:2924
- C:\Windows\system32\net.exe
  net user 31 31 /add
  2⤵
  PID:2364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user 31 31 /add
    3⤵
    PID:2356

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2424

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1964

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1356
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\system32\userinit.exe
  C:\Windows\system32\userinit.exe
  2⤵
  PID:1200
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1144
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
      4⤵
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      PID:264
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
      4⤵
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      PID:1308
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1056
  - - C:\Windows\System32\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
      4⤵
      Modifies registry class
      PID:1592
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
      4⤵
      Drops startup file
      Drops desktop.ini file(s)
      PID:2692
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
      4⤵
      System Location Discovery: System Language Discovery
      PID:2064
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -UserConfig
      4⤵
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of AdjustPrivilegeToken
      PID:1160
    - - C:\Windows\System32\ie4uinit.exe
        
        C:\Windows\System32\ie4uinit.exe -ClearIconCache
        5⤵
        
        PID:2984
    - - C:\Windows\System32\rundll32.exe
        
        C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
        5⤵
        System Binary Proxy Execution: Rundll32
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\rundll32.exe
        
        C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
        5⤵
        
        PID:2480
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
        6⤵
        
        PID:2976
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
      4⤵
      Sets desktop wallpaper using registry
      PID:2668
  - - C:\Program Files\Windows Mail\WinMail.exe
      "C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1396
  - - C:\Windows\System32\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
      4⤵
      Enumerates connected drives
      Modifies registry class
      PID:1664
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
      4⤵
      Drops startup file
      Drops desktop.ini file(s)
      PID:1084
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
      4⤵
      PID:1184
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
      4⤵
      PID:1240
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\31\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f487688,0x13f487698,0x13f4876a8
        5⤵
        
        PID:812
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        Drops file in Windows directory
        
        PID:2000
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\31\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f487688,0x13f487698,0x13f4876a8
        6⤵
        
        PID:2752
  - - C:\Windows\System32\8wawgv.exe
      "C:\Windows\System32\8wawgv.exe"
      4⤵
      PID:1560
  - - C:\Program Files\Windows Sidebar\sidebar.exe
      "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
      4⤵
      PID:2248
  - - C:\Windows\SysWOW64\runonce.exe
      C:\Windows\SysWOW64\runonce.exe /Run6432
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:1036
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
  - - C:\Windows\System32\mctadmin.exe
      "C:\Windows\System32\mctadmin.exe"
      4⤵
      PID:2400
  - - C:\Windows\system32\mstsc.exe
      "C:\Windows\system32\mstsc.exe"
      4⤵
      Enumerates connected drives
      PID:1936
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:532
  - - C:\Windows\system32\osk.exe
      "C:\Windows\system32\osk.exe"
      4⤵
      PID:1808
  - - C:\Windows\system32\magnify.exe
      "C:\Windows\system32\magnify.exe"
      4⤵
      PID:2520
  - - C:\Program Files\Microsoft Games\solitaire\solitaire.exe
      "C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
      4⤵
      Drops desktop.ini file(s)
      Suspicious behavior: GetForegroundWindowSpam
      PID:872
  - - C:\Program Files\Microsoft Games\minesweeper\minesweeper.exe
      "C:\Program Files\Microsoft Games\minesweeper\minesweeper.exe"
      4⤵
      Drops desktop.ini file(s)
      Suspicious behavior: GetForegroundWindowSpam
      PID:1984
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:1600
    - - C:\Windows\system32\taskmgr.exe
        
        "C:\Windows\system32\taskmgr.exe" /1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1824
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1564
      - C:\Windows\system32\taskmgr.exe
        
        "C:\Windows\system32\taskmgr.exe" /1
        6⤵
        
        PID:1908
        
        C:\Windows\system32\taskmgr.exe
        
        "C:\Windows\system32\taskmgr.exe" /1
        7⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3020
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  PID:2404
- - C:\Windows\System32\osk.exe
    "C:\Windows\System32\osk.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1532
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  PID:2500
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  PID:1272
- - C:\Windows\System32\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1652
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:2764

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:404

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:532

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:1892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2300

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1624

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:956

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2604

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:880

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1200
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "376159000-17664518871377369299-649481877-433713007-365241551-481878140-107063075"
  2⤵
  PID:2108
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "200914859830521353-1758930239-4453558351061570848884221669-1763966473-2106998370"
  2⤵
  PID:2968
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "1965407239-21067122661212268186-1367591773-1954399621-1063568756-2083684456601204424"
  2⤵
  PID:872
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-92055419512208970011057637800-164773149329602173211681766601331211416-828718089"
  2⤵
  PID:1848
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-685311454-3261684115675288661838385378-566337730-11072038381593604126-1164219677"
  2⤵
  PID:2764
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-4365369802041648961-1054193105-6719777544774000851233075184-1660859737-1275952772"
  2⤵
  PID:2372
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-20449612891705200343-758800827-177690376-2122543911-1221620095-916514443-399568485"
  2⤵
  PID:2336
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "1725029513248269310-1652308006-1630345701-185660399-1193169879854009906-491993912"
  2⤵
  PID:292
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "811652146-7776106414819575381304220439-31749830515747326721837896363-824197642"
  2⤵
  PID:1512
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "1338242227-19648562362197184842072238891324688333587672808-19039956191795522627"
  2⤵
  PID:2984
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "1857096335-16072755051212689553449404180-1242908735-215345990634891047-1679208524"
  2⤵
  PID:2312
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "501533422-439788542944034632-1864723233-9921289726358646821796678461346012610"
  2⤵
  PID:1568
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "46962906-15055156911550802276-27547177071320985917778931622044267125-853632070"
  2⤵
  PID:1624
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-981173888587229824-565764625161531581-1351079326-267385394-454663268688892569"
  2⤵
  PID:2376
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "755910799-8982841-489927847-84179780623601256411846980251116397725388051820"
  2⤵
  PID:1028
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "18636396121813225143358954895-1793922723-1804534369180946597221440022532090218914"
  2⤵
  PID:2828
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "-892101319-13372603679493032-3204076808752320287001791211167645604142373253"
  2⤵
  PID:928

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:1056
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:2744
- C:\Windows\system32\userinit.exe
  C:\Windows\system32\userinit.exe
  2⤵
  PID:2120
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1256
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
      4⤵
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Modifies Internet Explorer settings
      PID:2892
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
      4⤵
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      PID:1600
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1636
  - - C:\Windows\System32\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
      4⤵
      Enumerates connected drives
      Modifies registry class
      PID:1584
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
      4⤵
      Drops startup file
      Drops desktop.ini file(s)
      PID:2304
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -UserConfig
      4⤵
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      PID:2560
    - - C:\Windows\System32\ie4uinit.exe
        
        C:\Windows\System32\ie4uinit.exe -ClearIconCache
        5⤵
        
        PID:2144
    - - C:\Windows\System32\rundll32.exe
        
        C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
        5⤵
        System Binary Proxy Execution: Rundll32
        Drops file in Windows directory
        
        PID:2516
    - - C:\Windows\System32\rundll32.exe
        
        C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
        5⤵
        
        PID:2848
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
        6⤵
        
        PID:1356
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
      4⤵
      Sets desktop wallpaper using registry
      PID:1984
  - - C:\Program Files\Windows Mail\WinMail.exe
      "C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1416
  - - C:\Windows\System32\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
      4⤵
      Enumerates connected drives
      Modifies registry class
      PID:2992
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
      4⤵
      Drops startup file
      Drops desktop.ini file(s)
      PID:3000
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
      4⤵
      PID:1712
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
      4⤵
      PID:2944
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13fe67688,0x13fe67698,0x13fe676a8
        5⤵
        
        PID:1984
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        Drops file in Windows directory
        
        PID:2380
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13fe67688,0x13fe67698,0x13fe676a8
        6⤵
        
        PID:1548
  - - C:\Windows\System32\8wawgv.exe
      "C:\Windows\System32\8wawgv.exe"
      4⤵
      PID:304
  - - C:\Program Files\Windows Sidebar\sidebar.exe
      "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\runonce.exe
      C:\Windows\SysWOW64\runonce.exe /Run6432
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2904
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
  - - C:\Windows\System32\mctadmin.exe
      "C:\Windows\System32\mctadmin.exe"
      4⤵
      Drops desktop.ini file(s)
      PID:612
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      PID:2260
    - - C:\Windows\system32\taskmgr.exe
        
        "C:\Windows\system32\taskmgr.exe" /1
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2908
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1308
    - - C:\Windows\system32\net.exe
        
        net user Administrator /add
        5⤵
        
        PID:2124
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Administrator /add
        6⤵
        
        PID:1520
    - - C:\Windows\system32\net.exe
        
        net user Admin /Add
        5⤵
        
        PID:2304
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin /Add
        6⤵
        
        PID:1900
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\a\Desktop\New Text Document.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2216
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:3020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:2672
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:1840
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1784
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2320
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:564
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1376
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:1808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:692
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:2232
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:2184
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:1932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:2704
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2196
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:2816
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1128
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1308
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1500
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:3008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1196
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\a\Desktop\a.bat" "
      4⤵
      PID:2428
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1048
  - - C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\a\Desktop\a.bat
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\a\Desktop\a.bat"
      4⤵
      PID:2752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM wininit.exe
        5⤵
        Kills process with taskkill
        
        PID:1740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\a\Desktop\a.bat"
      4⤵
      PID:2208
    - - C:\Windows\system32\net.exe
        
        net user 98978677697889798 /add
        5⤵
        
        PID:2864
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 98978677697889798 /add
        6⤵
        
        PID:1284
  - - C:\Windows\system32\magnify.exe
      "C:\Windows\system32\magnify.exe"
      4⤵
      PID:3068
  - - C:\Windows\system32\SnippingTool.exe
      "C:\Windows\system32\SnippingTool.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of SetWindowsHookEx
      PID:1956
    - - C:\Windows\SYSTEM32\WISPTIS.EXE
        
        "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1236
  - - C:\Windows\ehome\ehshell.exe
      "C:\Windows\ehome\ehshell.exe"
      4⤵
      PID:444
  - - C:\Windows\system32\calc.exe
      "C:\Windows\system32\calc.exe"
      4⤵
      PID:2108
  - - C:\Windows\system32\StikyNot.exe
      "C:\Windows\system32\StikyNot.exe"
      4⤵
      Adds Run key to start application
      PID:1836
  - - C:\Windows\system32\mstsc.exe
      "C:\Windows\system32\mstsc.exe"
      4⤵
      Enumerates connected drives
      PID:904
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2272
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe" Adobe Reader;66814
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      4⤵
      Enumerates system info in registry
      PID:692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\a\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\a\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7feef1b9758,0x7feef1b9768,0x7feef1b9778
        5⤵
        
        PID:2512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:2
        5⤵
        
        PID:820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:844
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:1604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2056 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:1
        5⤵
        
        PID:3004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2064 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:1
        5⤵
        
        PID:2140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2260 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:1
        5⤵
        
        PID:320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2508 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:1
        5⤵
        
        PID:1768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:2
        5⤵
        
        PID:3460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3216 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:1
        5⤵
        
        PID:3964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3228 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:3604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4852 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:1
        5⤵
        
        PID:3384
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        5⤵
        
        PID:3824
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13fe67688,0x13fe67698,0x13fe676a8
        6⤵
        
        PID:4292
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        6⤵
        Drops file in Windows directory
        
        PID:4336
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13fe67688,0x13fe67698,0x13fe676a8
        7⤵
        
        PID:4356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:4528
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:4540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:4728
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1460 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:4916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:3680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:5020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2588 --field-trial-handle=1368,i,16432554990552024779,15766440667272641589,131072 /prefetch:8
        5⤵
        
        PID:5028
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2816
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1928
    - - C:\Windows\System32\ie4uinit.exe
        
        "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
        5⤵
        
        PID:1348
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3916
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3204
    - - C:\Windows\System32\ie4uinit.exe
        
        "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
        5⤵
        
        PID:3228
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1184
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:603142 /prefetch:2
        5⤵
        
        PID:4248
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:668678 /prefetch:2
        5⤵
        
        PID:320
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:406533 /prefetch:2
        5⤵
        
        PID:3356
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:209926 /prefetch:2
        5⤵
        
        PID:3480
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:799747 /prefetch:2
        5⤵
        
        PID:2444
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:930819 /prefetch:2
        5⤵
        
        PID:3880
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1061891 /prefetch:2
        5⤵
        
        PID:4188
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1192963 /prefetch:2
        5⤵
        
        PID:4116
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1324035 /prefetch:2
        5⤵
        
        PID:4036
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1455107 /prefetch:2
        5⤵
        
        PID:3844
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1586181 /prefetch:2
        5⤵
        
        PID:3224
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1782787 /prefetch:2
        5⤵
        
        PID:4172
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1913859 /prefetch:2
        5⤵
        
        PID:4332
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:1717252 /prefetch:2
        5⤵
        
        PID:3568
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3204 CREDAT:2110467 /prefetch:2
        5⤵
        
        PID:4400
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:4928
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:3700
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:4692
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:4936
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1028
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2900
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5040
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:4896
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1732
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2264
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1720
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5012
  - - C:\Program Files\Microsoft Games\solitaire\solitaire.exe
      "C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
      4⤵
      PID:3992
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      4⤵
      PID:4428
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:4312
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:4072
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:4776
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Tasks"
      4⤵
      PID:4108
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Temp"
      4⤵
      PID:3400
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\tracing"
      4⤵
      PID:2060
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32"
      4⤵
      PID:3128
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Vss"
      4⤵
      PID:1924
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Web"
      4⤵
      PID:3292
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winsxs"
      4⤵
      PID:1716
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bfsvc.exe"
      4⤵
      PID:5028
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bootstat.dat"
      4⤵
      PID:3104
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DtcInstall.log"
      4⤵
      PID:4828
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\explorer.exe"
      4⤵
      PID:4752
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fveupdate.exe"
      4⤵
      PID:4948
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\HelpPane.exe"
      4⤵
      PID:3164
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\hh.exe"
      4⤵
      PID:3160
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\mib.bin"
      4⤵
      PID:2360
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\msdfmap.ini"
      4⤵
      PID:4908
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\notepad.exe"
      4⤵
      PID:2104
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PFRO.log"
      4⤵
      PID:4788
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\regedit.exe"
      4⤵
      PID:4988
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setupact.log"
      4⤵
      PID:3336
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setuperr.log"
      4⤵
      PID:5096
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\splwow64.exe"
      4⤵
      PID:4392
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Starter.xml"
      4⤵
      PID:4996
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system.ini"
      4⤵
      PID:4084
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TSSysprep.log"
      4⤵
      PID:1856
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain.dll"
      4⤵
      PID:4028
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32.dll"
      4⤵
      PID:2492
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_16.exe"
      4⤵
      PID:5088
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_32.exe"
      4⤵
      PID:5092
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Ultimate.xml"
      4⤵
      PID:4916
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\win.ini"
      4⤵
      PID:1952
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WindowsUpdate.log"
      4⤵
      PID:5060
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winhlp32.exe"
      4⤵
      PID:876
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WMSysPr9.prx"
      4⤵
      PID:4772
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\write.exe"
      4⤵
      PID:3420
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\addins"
      4⤵
      PID:1480
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppCompat"
      4⤵
      PID:5000
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppPatch"
      4⤵
      PID:1244
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\assembly"
      4⤵
      PID:3492
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Boot"
      4⤵
      PID:2656
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Branding"
      4⤵
      PID:3352
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\CSC"
      4⤵
      PID:1204
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Cursors"
      4⤵
      PID:3376
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\debug"
      4⤵
      PID:3020
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\de-DE"
      4⤵
      PID:2440
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\diagnostics"
      4⤵
      PID:3576
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DigitalLocker"
      4⤵
      PID:4032
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Downloaded Program Files"
      4⤵
      PID:1036
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ehome"
      4⤵
      PID:3556
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\en-US"
      4⤵
      PID:4812
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\es-ES"
      4⤵
      PID:3852
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Fonts"
      4⤵
      PID:3820
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fr-FR"
      4⤵
      PID:1308
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Globalization"
      4⤵
      PID:1348
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Help"
      4⤵
      PID:2128
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\IME"
      4⤵
      PID:5008
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\inf"
      4⤵
      PID:3148
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\it-IT"
      4⤵
      PID:3312
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ja-JP"
      4⤵
      PID:3664
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\L2Schemas"
      4⤵
      PID:3140
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\LiveKernelReports"
      4⤵
      PID:940
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Logs"
      4⤵
      PID:4716
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Media"
      4⤵
      PID:4712
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Microsoft.NET"
      4⤵
      PID:1996
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Migration"
      4⤵
      PID:3168
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ModemLogs"
      4⤵
      PID:3436
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Offline Web Pages"
      4⤵
      PID:3372
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Panther"
      4⤵
      PID:4576
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PCHEALTH"
      4⤵
      PID:2172
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Performance"
      4⤵
      PID:4348
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PLA"
      4⤵
      PID:3144
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PolicyDefinitions"
      4⤵
      PID:2852
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Prefetch"
      4⤵
      PID:4920
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Registration"
      4⤵
      PID:3892
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\RemotePackages"
      4⤵
      PID:3912
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:3184
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:3076
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:3504
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:4900
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:3532
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:4808
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:4664
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:4184
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:3396
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:5128
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:5136
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:5144
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:5436
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:5444
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:5452
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Tasks"
      4⤵
      PID:5460
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Temp"
      4⤵
      PID:5468
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\tracing"
      4⤵
      PID:5476
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32"
      4⤵
      PID:5484
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Vss"
      4⤵
      PID:5492
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Web"
      4⤵
      PID:5500
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winsxs"
      4⤵
      PID:5508
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bfsvc.exe"
      4⤵
      PID:5516
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bootstat.dat"
      4⤵
      PID:5524
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DtcInstall.log"
      4⤵
      PID:5532
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\explorer.exe"
      4⤵
      PID:5540
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fveupdate.exe"
      4⤵
      PID:5548
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\HelpPane.exe"
      4⤵
      PID:5556
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\hh.exe"
      4⤵
      PID:5564
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\mib.bin"
      4⤵
      PID:5572
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\msdfmap.ini"
      4⤵
      PID:5580
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\notepad.exe"
      4⤵
      PID:5588
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PFRO.log"
      4⤵
      PID:5596
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\regedit.exe"
      4⤵
      PID:5604
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setupact.log"
      4⤵
      PID:5612
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setuperr.log"
      4⤵
      PID:5620
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\splwow64.exe"
      4⤵
      PID:5628
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Starter.xml"
      4⤵
      PID:5636
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system.ini"
      4⤵
      PID:5644
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TSSysprep.log"
      4⤵
      PID:5652
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain.dll"
      4⤵
      PID:5660
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32.dll"
      4⤵
      PID:5668
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_16.exe"
      4⤵
      PID:5676
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_32.exe"
      4⤵
      PID:5684
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Ultimate.xml"
      4⤵
      PID:5692
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\win.ini"
      4⤵
      PID:5700
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WindowsUpdate.log"
      4⤵
      PID:5708
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winhlp32.exe"
      4⤵
      PID:5716
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WMSysPr9.prx"
      4⤵
      PID:5724
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\write.exe"
      4⤵
      PID:5732
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\addins"
      4⤵
      PID:5740
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppCompat"
      4⤵
      PID:5748
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppPatch"
      4⤵
      PID:5756
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\assembly"
      4⤵
      PID:5764
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Boot"
      4⤵
      PID:5772
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Branding"
      4⤵
      PID:5780
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\CSC"
      4⤵
      PID:5788
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Cursors"
      4⤵
      PID:5796
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\debug"
      4⤵
      PID:5804
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\de-DE"
      4⤵
      PID:5812
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\diagnostics"
      4⤵
      PID:5820
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DigitalLocker"
      4⤵
      PID:5828
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Downloaded Program Files"
      4⤵
      PID:5836
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ehome"
      4⤵
      PID:6056
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\en-US"
      4⤵
      PID:6128
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\es-ES"
      4⤵
      PID:6136
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Fonts"
      4⤵
      PID:5232
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fr-FR"
      4⤵
      PID:2188
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Globalization"
      4⤵
      PID:5876
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Help"
      4⤵
      PID:5892
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\IME"
      4⤵
      PID:5896
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\inf"
      4⤵
      PID:5912
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\it-IT"
      4⤵
      PID:5920
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ja-JP"
      4⤵
      PID:6064
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\L2Schemas"
      4⤵
      PID:6072
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\LiveKernelReports"
      4⤵
      PID:6080
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Logs"
      4⤵
      PID:6088
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Media"
      4⤵
      PID:6096
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Microsoft.NET"
      4⤵
      PID:6104
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Migration"
      4⤵
      PID:6112
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ModemLogs"
      4⤵
      PID:6120
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Offline Web Pages"
      4⤵
      PID:6152
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Panther"
      4⤵
      PID:6160
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PCHEALTH"
      4⤵
      PID:6168
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Performance"
      4⤵
      PID:6176
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PLA"
      4⤵
      PID:6184
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PolicyDefinitions"
      4⤵
      PID:6192
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Prefetch"
      4⤵
      PID:6200
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Registration"
      4⤵
      PID:6208
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\RemotePackages"
      4⤵
      PID:6216
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:6224
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:6232
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:6240
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:6248
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:6256
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:6264
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:6272
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:6280
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:6308
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:6316
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:6324
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:6332
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:6344
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:6352
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:6360
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Tasks"
      4⤵
      PID:6368
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Temp"
      4⤵
      PID:6376
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\tracing"
      4⤵
      PID:6384
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32"
      4⤵
      PID:6392
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Vss"
      4⤵
      PID:6400
  - - C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap2622:3776:7zEvent23316 -tzip -sae -- "C:\Windows\Windows.zip"
      4⤵
      PID:6532
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:6560
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:6484
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:5932
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Web"
      4⤵
      PID:5204
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:7112
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:7116
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:6472
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:5952
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winsxs"
      4⤵
      PID:6488
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:6492
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:7136
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Tasks"
      4⤵
      PID:5956
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Tasks"
      4⤵
      PID:5264
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Tasks"
      4⤵
      PID:6700
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Temp"
      4⤵
      PID:4616
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bfsvc.exe"
      4⤵
      PID:2352
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Temp"
      4⤵
      PID:2968
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Temp"
      4⤵
      PID:3212
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\tracing"
      4⤵
      PID:2132
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\tracing"
      4⤵
      PID:2176
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bootstat.dat"
      4⤵
      PID:2444
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32"
      4⤵
      PID:5260
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\tracing"
      4⤵
      PID:6680
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32"
      4⤵
      PID:4724
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Vss"
      4⤵
      PID:7144
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Vss"
      4⤵
      PID:7160
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32"
      4⤵
      PID:4848
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DtcInstall.log"
      4⤵
      PID:4840
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Web"
      4⤵
      PID:3976
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Vss"
      4⤵
      PID:7164
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\explorer.exe"
      4⤵
      PID:3260
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Web"
      4⤵
      PID:3928
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Web"
      4⤵
      PID:4064
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winsxs"
      4⤵
      PID:6672
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winsxs"
      4⤵
      PID:5024
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fveupdate.exe"
      4⤵
      PID:6636
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winsxs"
      4⤵
      PID:4528
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bfsvc.exe"
      4⤵
      PID:6648
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\HelpPane.exe"
      4⤵
      PID:6408
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bfsvc.exe"
      4⤵
      PID:2692
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bootstat.dat"
      4⤵
      PID:3056
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\hh.exe"
      4⤵
      PID:3884
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bfsvc.exe"
      4⤵
      PID:5084
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DtcInstall.log"
      4⤵
      PID:3620
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bootstat.dat"
      4⤵
      PID:280
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\mib.bin"
      4⤵
      PID:4176
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\bootstat.dat"
      4⤵
      PID:5048
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\explorer.exe"
      4⤵
      PID:4208
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\msdfmap.ini"
      4⤵
      PID:4172
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DtcInstall.log"
      4⤵
      PID:2164
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fveupdate.exe"
      4⤵
      PID:6640
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\notepad.exe"
      4⤵
      PID:4324
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DtcInstall.log"
      4⤵
      PID:3564
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\HelpPane.exe"
      4⤵
      PID:4552
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PFRO.log"
      4⤵
      PID:2056
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\hh.exe"
      4⤵
      PID:3832
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\regedit.exe"
      4⤵
      PID:5080
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\explorer.exe"
      4⤵
      PID:4416
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\explorer.exe"
      4⤵
      PID:4524
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\mib.bin"
      4⤵
      PID:2636
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setupact.log"
      4⤵
      PID:5116
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\msdfmap.ini"
      4⤵
      PID:4628
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setuperr.log"
      4⤵
      PID:3964
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fveupdate.exe"
      4⤵
      PID:4556
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fveupdate.exe"
      4⤵
      PID:4228
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\notepad.exe"
      4⤵
      PID:4156
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\splwow64.exe"
      4⤵
      PID:4352
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PFRO.log"
      4⤵
      PID:4672
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\HelpPane.exe"
      4⤵
      PID:4584
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\regedit.exe"
      4⤵
      PID:4332
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Starter.xml"
      4⤵
      PID:4024
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\HelpPane.exe"
      4⤵
      PID:3508
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setupact.log"
      4⤵
      PID:4644
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system.ini"
      4⤵
      PID:4532
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setuperr.log"
      4⤵
      PID:4192
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\hh.exe"
      4⤵
      PID:6024
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\hh.exe"
      4⤵
      PID:4188
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TSSysprep.log"
      4⤵
      PID:5960
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\mib.bin"
      4⤵
      PID:5044
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\splwow64.exe"
      4⤵
      PID:3844
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain.dll"
      4⤵
      PID:3872
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Starter.xml"
      4⤵
      PID:4104
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32.dll"
      4⤵
      PID:6044
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\mib.bin"
      4⤵
      PID:6008
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system.ini"
      4⤵
      PID:2372
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\msdfmap.ini"
      4⤵
      PID:5964
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_16.exe"
      4⤵
      PID:1664
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TSSysprep.log"
      4⤵
      PID:4472
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\msdfmap.ini"
      4⤵
      PID:4508
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain.dll"
      4⤵
      PID:4620
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_32.exe"
      4⤵
      PID:6696
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\notepad.exe"
      4⤵
      PID:4016
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32.dll"
      4⤵
      PID:5884
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Ultimate.xml"
      4⤵
      PID:6424
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\notepad.exe"
      4⤵
      PID:3280
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\win.ini"
      4⤵
      PID:4160
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_16.exe"
      4⤵
      PID:760
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PFRO.log"
      4⤵
      PID:3660
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WindowsUpdate.log"
      4⤵
      PID:2004
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_32.exe"
      4⤵
      PID:3840
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\regedit.exe"
      4⤵
      PID:3888
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winhlp32.exe"
      4⤵
      PID:1160
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PFRO.log"
      4⤵
      PID:7172
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Ultimate.xml"
      4⤵
      PID:7180
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WMSysPr9.prx"
      4⤵
      PID:7188
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\win.ini"
      4⤵
      PID:7196
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WindowsUpdate.log"
      4⤵
      PID:7204
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setupact.log"
      4⤵
      PID:7212
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\regedit.exe"
      4⤵
      PID:7220
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\write.exe"
      4⤵
      PID:7228
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\addins"
      4⤵
      PID:7240
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winhlp32.exe"
      4⤵
      PID:7248
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppCompat"
      4⤵
      PID:7256
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WMSysPr9.prx"
      4⤵
      PID:7264
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppPatch"
      4⤵
      PID:7272
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\assembly"
      4⤵
      PID:7284
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setupact.log"
      4⤵
      PID:7292
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\write.exe"
      4⤵
      PID:7300
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setuperr.log"
      4⤵
      PID:7308
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Boot"
      4⤵
      PID:7316
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\addins"
      4⤵
      PID:7324
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Branding"
      4⤵
      PID:7332
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppCompat"
      4⤵
      PID:7340
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\CSC"
      4⤵
      PID:7348
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppPatch"
      4⤵
      PID:7356
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Cursors"
      4⤵
      PID:7364
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\assembly"
      4⤵
      PID:7380
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\setuperr.log"
      4⤵
      PID:7372
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\splwow64.exe"
      4⤵
      PID:7388
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\debug"
      4⤵
      PID:7396
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Boot"
      4⤵
      PID:7404
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Starter.xml"
      4⤵
      PID:7412
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\de-DE"
      4⤵
      PID:7420
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\splwow64.exe"
      4⤵
      PID:7428
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Branding"
      4⤵
      PID:7436
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\diagnostics"
      4⤵
      PID:7444
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system.ini"
      4⤵
      PID:7452
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\CSC"
      4⤵
      PID:7460
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DigitalLocker"
      4⤵
      PID:7468
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Cursors"
      4⤵
      PID:7476
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Starter.xml"
      4⤵
      PID:7484
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TSSysprep.log"
      4⤵
      PID:7492
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Downloaded Program Files"
      4⤵
      PID:7500
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ehome"
      4⤵
      PID:7508
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\debug"
      4⤵
      PID:7516
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\en-US"
      4⤵
      PID:7524
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\es-ES"
      4⤵
      PID:7532
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain.dll"
      4⤵
      PID:7540
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system.ini"
      4⤵
      PID:7548
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Fonts"
      4⤵
      PID:7556
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\de-DE"
      4⤵
      PID:7564
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TSSysprep.log"
      4⤵
      PID:7572
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32.dll"
      4⤵
      PID:7580
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fr-FR"
      4⤵
      PID:7588
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\diagnostics"
      4⤵
      PID:7596
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain.dll"
      4⤵
      PID:7604
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_16.exe"
      4⤵
      PID:7612
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Globalization"
      4⤵
      PID:7620
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DigitalLocker"
      4⤵
      PID:7628
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Downloaded Program Files"
      4⤵
      PID:7636
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Help"
      4⤵
      PID:7644
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ehome"
      4⤵
      PID:7652
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twain_32.dll"
      4⤵
      PID:7660
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\IME"
      4⤵
      PID:7668
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\en-US"
      4⤵
      PID:7676
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_32.exe"
      4⤵
      PID:7684
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_16.exe"
      4⤵
      PID:7692
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\inf"
      4⤵
      PID:7700
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\es-ES"
      4⤵
      PID:7708
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Ultimate.xml"
      4⤵
      PID:7716
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\twunk_32.exe"
      4⤵
      PID:7732
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\it-IT"
      4⤵
      PID:7740
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Fonts"
      4⤵
      PID:7724
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ja-JP"
      4⤵
      PID:7748
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\fr-FR"
      4⤵
      PID:7756
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\L2Schemas"
      4⤵
      PID:7764
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\win.ini"
      4⤵
      PID:7772
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Ultimate.xml"
      4⤵
      PID:7780
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Globalization"
      4⤵
      PID:7788
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\LiveKernelReports"
      4⤵
      PID:7796
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Help"
      4⤵
      PID:7804
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WindowsUpdate.log"
      4⤵
      PID:7812
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\win.ini"
      4⤵
      PID:7820
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Logs"
      4⤵
      PID:7828
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\IME"
      4⤵
      PID:7836
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Media"
      4⤵
      PID:7844
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winhlp32.exe"
      4⤵
      PID:7852
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WindowsUpdate.log"
      4⤵
      PID:7860
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\inf"
      4⤵
      PID:7868
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\it-IT"
      4⤵
      PID:7876
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ja-JP"
      4⤵
      PID:7884
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\winhlp32.exe"
      4⤵
      PID:7892
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Microsoft.NET"
      4⤵
      PID:7900
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WMSysPr9.prx"
      4⤵
      PID:7908
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\L2Schemas"
      4⤵
      PID:7916
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Migration"
      4⤵
      PID:7924
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\WMSysPr9.prx"
      4⤵
      PID:7932
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\write.exe"
      4⤵
      PID:7940
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\LiveKernelReports"
      4⤵
      PID:7948
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ModemLogs"
      4⤵
      PID:7956
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Offline Web Pages"
      4⤵
      PID:7964
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\write.exe"
      4⤵
      PID:7972
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Logs"
      4⤵
      PID:7980
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\addins"
      4⤵
      PID:7988
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Panther"
      4⤵
      PID:7996
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\addins"
      4⤵
      PID:8004
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Media"
      4⤵
      PID:8012
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppCompat"
      4⤵
      PID:8020
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PCHEALTH"
      4⤵
      PID:8028
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Microsoft.NET"
      4⤵
      PID:8036
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppPatch"
      4⤵
      PID:8044
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppCompat"
      4⤵
      PID:8052
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Migration"
      4⤵
      PID:8060
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Performance"
      4⤵
      PID:8068
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\AppPatch"
      4⤵
      PID:8076
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\assembly"
      4⤵
      PID:8084
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ModemLogs"
      4⤵
      PID:8092
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PLA"
      4⤵
      PID:8100
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\assembly"
      4⤵
      PID:8108
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Offline Web Pages"
      4⤵
      PID:8116
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Boot"
      4⤵
      PID:8124
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PolicyDefinitions"
      4⤵
      PID:8132
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Boot"
      4⤵
      PID:8140
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Branding"
      4⤵
      PID:8228
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Panther"
      4⤵
      PID:8780
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Prefetch"
      4⤵
      PID:8996
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8756
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9188
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8184
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8216
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9152
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9124
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8176
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9212
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PCHEALTH"
      4⤵
      PID:9156
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:2560
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Registration"
      4⤵
      PID:8196
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:4868
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9068
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8168
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9176
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8204
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8156
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8244
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Branding"
      4⤵
      PID:8164
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\CSC"
      4⤵
      PID:8240
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:4940
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:8200
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:5344
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\security"
      4⤵
      PID:8740
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:3192
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:3164
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:8764
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:4796
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:8704
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:8728
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\system"
      4⤵
      PID:8720
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:4108
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:8744
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:8724
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Tasks"
      4⤵
      PID:5220
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Temp"
      4⤵
      PID:5060
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\tracing"
      4⤵
      PID:4576
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\twain_32"
      4⤵
      PID:5388
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Vss"
      4⤵
      PID:8800
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Web"
      4⤵
      PID:8856
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\winsxs"
      4⤵
      PID:8908
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\bfsvc.exe"
      4⤵
      PID:5332
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\bootstat.dat"
      4⤵
      PID:5368
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\DtcInstall.log"
      4⤵
      PID:3076
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\explorer.exe"
      4⤵
      PID:3584
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\fveupdate.exe"
      4⤵
      PID:4812
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\HelpPane.exe"
      4⤵
      PID:5376
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\hh.exe"
      4⤵
      PID:5144
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\mib.bin"
      4⤵
      PID:4808
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\msdfmap.ini"
      4⤵
      PID:1140
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\notepad.exe"
      4⤵
      PID:8976
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\PFRO.log"
      4⤵
      PID:8760
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\regedit.exe"
      4⤵
      PID:8804
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\setupact.log"
      4⤵
      PID:8832
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\setuperr.log"
      4⤵
      PID:8848
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\splwow64.exe"
      4⤵
      PID:8940
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Starter.xml"
      4⤵
      PID:8956
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\system.ini"
      4⤵
      PID:8936
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\TSSysprep.log"
      4⤵
      PID:8920
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\twain.dll"
      4⤵
      PID:8900
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\twain_32.dll"
      4⤵
      PID:5160
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\twunk_16.exe"
      4⤵
      PID:3128
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\twunk_32.exe"
      4⤵
      PID:9008
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Ultimate.xml"
      4⤵
      PID:8980
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\win.ini"
      4⤵
      PID:9028
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\WindowsUpdate.log"
      4⤵
      PID:9084
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\winhlp32.exe"
      4⤵
      PID:9036
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\WMSysPr9.prx"
      4⤵
      PID:9020
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\write.exe"
      4⤵
      PID:9044
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\addins"
      4⤵
      PID:9060
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\AppCompat"
      4⤵
      PID:9088
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\AppPatch"
      4⤵
      PID:8968
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\assembly"
      4⤵
      PID:9064
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Boot"
      4⤵
      PID:9108
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Branding"
      4⤵
      PID:8260
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\CSC"
      4⤵
      PID:9120
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Cursors"
      4⤵
      PID:9128
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\debug"
      4⤵
      PID:3600
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\de-DE"
      4⤵
      PID:9164
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\diagnostics"
      4⤵
      PID:9000
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\DigitalLocker"
      4⤵
      PID:1524
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Downloaded Program Files"
      4⤵
      PID:3240
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\ehome"
      4⤵
      PID:5200
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\en-US"
      4⤵
      PID:1856
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\es-ES"
      4⤵
      PID:8256
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Fonts"
      4⤵
      PID:4776
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\fr-FR"
      4⤵
      PID:4012
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Globalization"
      4⤵
      PID:4716
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Help"
      4⤵
      PID:8944
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\IME"
      4⤵
      PID:9220
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\inf"
      4⤵
      PID:9228
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\it-IT"
      4⤵
      PID:9236
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\ja-JP"
      4⤵
      PID:9244
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\L2Schemas"
      4⤵
      PID:9252
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\LiveKernelReports"
      4⤵
      PID:9260
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Logs"
      4⤵
      PID:9268
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Media"
      4⤵
      PID:9276
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Microsoft.NET"
      4⤵
      PID:9284
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Migration"
      4⤵
      PID:9292
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\ModemLogs"
      4⤵
      PID:9300
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Offline Web Pages"
      4⤵
      PID:9308
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Panther"
      4⤵
      PID:9316
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\PCHEALTH"
      4⤵
      PID:9324
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Performance"
      4⤵
      PID:9332
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\PLA"
      4⤵
      PID:9340
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\PolicyDefinitions"
      4⤵
      PID:9348
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Prefetch"
      4⤵
      PID:9356
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Registration"
      4⤵
      PID:9364
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\RemotePackages"
      4⤵
      PID:9372
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9380
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9448
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10076
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\RemotePackages"
      4⤵
      PID:10092
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10068
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10100
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10116
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10020
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10120
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10128
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Performance"
      4⤵
      PID:10136
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10140
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10164
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10148
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10172
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:10180
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:10188
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10196
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PLA"
      4⤵
      PID:10200
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10204
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10220
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10212
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10228
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:10160
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9148
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9392
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9408
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9420
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\CSC"
      4⤵
      PID:9396
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Cursors"
      4⤵
      PID:9428
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9436
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9440
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9452
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9464
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9472
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9480
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9508
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:9628
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\PolicyDefinitions"
      4⤵
      PID:9636
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9620
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9612
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9648
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9484
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9500
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9656
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9568
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:8220
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9700
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\debug"
      4⤵
      PID:3740
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Cursors"
      4⤵
      PID:9664
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9688
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9652
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9712
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9720
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9728
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9696
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9840
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9816
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:9828
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9848
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9796
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Prefetch"
      4⤵
      PID:9856
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:4348
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9680
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9864
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9884
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:6496
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9900
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9908
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9916
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9860
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\de-DE"
      4⤵
      PID:9868
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:5184
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:10032
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:10044
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\debug"
      4⤵
      PID:10024
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:10048
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:10088
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9524
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9532
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9540
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9548
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9496
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:9588
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9592
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Registration"
      4⤵
      PID:9600
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9516
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\diagnostics"
      4⤵
      PID:9608
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:5816
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:6520
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:5800
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:5460
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:4020
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:2656
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\de-DE"
      4⤵
      PID:10072
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9768
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9800
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9772
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9784
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9732
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9756
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:9752
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:9740
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9572
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9836
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:9804
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9792
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:9788
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\RemotePackages"
      4⤵
      PID:9904
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:9812
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:9956
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\diagnostics"
      4⤵
      PID:9940
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:9992
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:10000
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:9960
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10008
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:9984
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\rescache"
      4⤵
      PID:9988
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10016
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10028
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10244
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10252
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:10260
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DigitalLocker"
      4⤵
      PID:10268
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10276
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10284
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:10292
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10308
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:10300
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:10316
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10324
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10332
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:10340
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10356
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10348
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10364
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10372
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10380
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10396
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10388
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\DigitalLocker"
      4⤵
      PID:10412
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Downloaded Program Files"
      4⤵
      PID:10404
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10420
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10428
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10436
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10444
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10452
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10460
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10468
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10476
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Resources"
      4⤵
      PID:11056
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:11064
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:11048
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:11080
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:11204
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:11216
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Downloaded Program Files"
      4⤵
      PID:11224
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:11232
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:11240
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ehome"
      4⤵
      PID:11248
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:11256
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:9560
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10488
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10652
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:10660
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10668
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:4660
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10672
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10692
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10700
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10676
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:10684
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10712
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10720
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10732
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SchCache"
      4⤵
      PID:5248
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:3352
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ehome"
      4⤵
      PID:5152
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:4072
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:4152
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:5300
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:3664
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:1452
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\schemas"
      4⤵
      PID:10740
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10752
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10820
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\en-US"
      4⤵
      PID:10824
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10748
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10764
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10772
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10780
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10788
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10804
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10796
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\en-US"
      4⤵
      PID:10832
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10840
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10848
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10856
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:3644
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10860
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:5352
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:5136
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10900
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\security"
      4⤵
      PID:10864
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10872
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10912
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10888
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:10916
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\es-ES"
      4⤵
      PID:10924
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:10932
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10940
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10948
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10956
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10964
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10972
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10980
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10988
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10996
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ServiceProfiles"
      4⤵
      PID:11004
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Setup"
      4⤵
      PID:11012
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:11020
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:11032
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:11040
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:11076
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:9668
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:11096
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:11104
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:11156
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:11176
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:11184
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10536
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:10540
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\servicing"
      4⤵
      PID:10544
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10552
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:10564
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Fonts"
      4⤵
      PID:10572
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10580
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:10592
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\es-ES"
      4⤵
      PID:10584
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:6452
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:10620
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:2852
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\system"
      4⤵
      PID:3096
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:10624
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:10616
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\ShellNew"
      4⤵
      PID:10640
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SoftwareDistribution"
      4⤵
      PID:10608
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\TAPI"
      4⤵
      PID:5360
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\SysWOW64"
      4⤵
      PID:10628
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:6016
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:3020
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\Speech"
      4⤵
      PID:11188
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "C:\Windows\System32"
      4⤵
      PID:11200
- C:\Windows\system32\utilman.exe
  utilman.exe /debug
  2⤵
  PID:2248
- - C:\Windows\System32\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1520

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:992

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:1236

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:1808

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2816

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:1304
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:2832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:2748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

System Binary Proxy Execution

T1218

Rundll32

T1218.011

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery