e3b1216c43afbc251bbafc1c5a510933d175769b3f88b6315a31e1c8aa6c1940

Resubmissions

02-02-2025 04:31

250202-e5h8wsxlbr 10

20-11-2024 23:06

241120-23pzzswdpp 10

Analysis

max time kernel
613s
max time network
616s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RapidReset.bat
Size

562B
MD5

585007258473e92250845840fcdd7efa
SHA1

f741877750f8b11be85bb9bafacb651456c1d085
SHA256

e3b1216c43afbc251bbafc1c5a510933d175769b3f88b6315a31e1c8aa6c1940
SHA512

da8d912a30b979d06878d4a511a6dc7dc0c82f7cca8f99b618fc0a095de61023d6c9c7b71a922abeff32eadf6e1344c4c79f73858364da7217beeb3c5fe63047

Score

10^/10

discovery ransomware

Malware Config

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9300	5888	WerFault.exe	337
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9368	9180	WerFault.exe	553
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9776	4424	WerFault.exe	397
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	8752	8640	WerFault.exe	565
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	5984	7420	WerFault.exe	457

Renames multiple (691) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Process spawned suspicious child process 8 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9100	9180	DW20.EXE	553
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9240	5888	DW20.EXE	337
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9260	9180	DW20.EXE	553
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9528	8640	DW20.EXE	565
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9780	4424	DW20.EXE	397
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	9600	8640	DW20.EXE	565
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	10228	7420	DW20.EXE	457
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	7928	7972	DW20.EXE	793

Drops file in Windows directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	Process not Found
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\wordpad.INI	wordpad.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
9300	5888	WerFault.exe	337
9368	9180	WerFault.exe	553
9776	4424	WerFault.exe	397
8752	8640	WerFault.exe	565
5984	7420	WerFault.exe	457

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	WINWORD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

pid	Process
2788	WINWORD.EXE
2612	WINWORD.EXE
3056	WINWORD.EXE
340	WINWORD.EXE
2912	WINWORD.EXE
2764	WINWORD.EXE
2084	WINWORD.EXE
2144	WINWORD.EXE
1820	WINWORD.EXE
2740	WINWORD.EXE
3296	WINWORD.EXE
3608	WINWORD.EXE
3924	WINWORD.EXE
3384	WINWORD.EXE
3920	WINWORD.EXE
3652	WINWORD.EXE
4408	WINWORD.EXE
4720	WINWORD.EXE
5024	WINWORD.EXE
4124	WINWORD.EXE
4228	WINWORD.EXE
5208	WINWORD.EXE
5512	WINWORD.EXE
5824	WINWORD.EXE
6140	WINWORD.EXE
5888	WINWORD.EXE
5832	WINWORD.EXE
6392	WINWORD.EXE
6756	WINWORD.EXE
7080	WINWORD.EXE
4424	WINWORD.EXE
5984	WINWORD.EXE
6968	WINWORD.EXE
1348	WINWORD.EXE
6412	WINWORD.EXE
7420	WINWORD.EXE
7748	WINWORD.EXE
8088	WINWORD.EXE
7004	WINWORD.EXE
6104	WINWORD.EXE
8068	WINWORD.EXE
8488	WINWORD.EXE
8824	WINWORD.EXE
9180	WINWORD.EXE
8640	WINWORD.EXE
6184	WINWORD.EXE
9360	WINWORD.EXE
9752	WINWORD.EXE
10008	WINWORD.EXE
9300	WINWORD.EXE
9076	WINWORD.EXE
8208	WINWORD.EXE
4284	WINWORD.EXE
8980	WINWORD.EXE
9492	WINWORD.EXE
9788	WINWORD.EXE
9972	WINWORD.EXE
10052	WINWORD.EXE
6844	WINWORD.EXE
1664	WINWORD.EXE
8024	WINWORD.EXE
9452	WINWORD.EXE
7972	WINWORD.EXE
7468	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
5888	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE
9180	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 25 IoCs

pid	Process
1984	cmd.exe
5012	mspaint.exe
5036	mspaint.exe
4740	mspaint.exe
5232	mspaint.exe
5836	mspaint.exe
4108	mspaint.exe
4644	mspaint.exe
5536	mspaint.exe
6392	WINWORD.EXE
6968	WINWORD.EXE
6412	WINWORD.EXE
5944	mspaint.exe
7368	mspaint.exe
8756	mspaint.exe
9828	mspaint.exe
4748	mspaint.exe
6420	mspaint.exe
5956	mspaint.exe
4464	mspaint.exe
7684	mspaint.exe
6244	mspaint.exe
7092	mspaint.exe
6788	mspaint.exe
2788	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2612	WINWORD.EXE
Token: SeShutdownPrivilege	3056	WINWORD.EXE
Token: SeShutdownPrivilege	340	WINWORD.EXE
Token: SeShutdownPrivilege	2912	WINWORD.EXE
Token: SeShutdownPrivilege	2764	WINWORD.EXE
Token: SeShutdownPrivilege	2084	WINWORD.EXE
Token: SeShutdownPrivilege	1820	WINWORD.EXE
Token: SeShutdownPrivilege	2740	WINWORD.EXE
Token: SeShutdownPrivilege	3296	WINWORD.EXE
Token: SeShutdownPrivilege	3608	WINWORD.EXE
Token: SeShutdownPrivilege	3924	WINWORD.EXE
Token: SeShutdownPrivilege	3384	WINWORD.EXE
Token: SeShutdownPrivilege	3920	WINWORD.EXE
Token: SeShutdownPrivilege	3652	WINWORD.EXE
Token: SeShutdownPrivilege	4408	WINWORD.EXE
Token: SeShutdownPrivilege	4720	WINWORD.EXE
Token: SeShutdownPrivilege	5024	WINWORD.EXE
Token: SeShutdownPrivilege	4124	WINWORD.EXE
Token: SeShutdownPrivilege	4228	WINWORD.EXE
Token: SeShutdownPrivilege	5208	WINWORD.EXE
Token: SeShutdownPrivilege	5512	WINWORD.EXE
Token: SeShutdownPrivilege	5824	WINWORD.EXE
Token: SeShutdownPrivilege	5832	WINWORD.EXE
Token: SeShutdownPrivilege	6756	WINWORD.EXE
Token: SeShutdownPrivilege	7080	WINWORD.EXE

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2788	WINWORD.EXE
2612	WINWORD.EXE
3056	WINWORD.EXE
340	WINWORD.EXE
2912	WINWORD.EXE
2764	WINWORD.EXE
2084	WINWORD.EXE
2612	WINWORD.EXE
1820	WINWORD.EXE
2740	WINWORD.EXE
2788	WINWORD.EXE
3296	WINWORD.EXE
3608	WINWORD.EXE
3056	WINWORD.EXE
3924	WINWORD.EXE
3384	WINWORD.EXE
340	WINWORD.EXE
3920	WINWORD.EXE
2912	WINWORD.EXE
3652	WINWORD.EXE
4408	WINWORD.EXE
2764	WINWORD.EXE
4720	WINWORD.EXE
5024	WINWORD.EXE
2084	WINWORD.EXE
4124	WINWORD.EXE
4228	WINWORD.EXE
5208	WINWORD.EXE
5512	WINWORD.EXE
1820	WINWORD.EXE
5824	WINWORD.EXE
5888	WINWORD.EXE
5832	WINWORD.EXE
2740	WINWORD.EXE
6392	WINWORD.EXE
6756	WINWORD.EXE
3296	WINWORD.EXE
3608	WINWORD.EXE
3924	WINWORD.EXE
3384	WINWORD.EXE
3920	WINWORD.EXE
3652	WINWORD.EXE
7004	WINWORD.EXE
4408	WINWORD.EXE
4720	WINWORD.EXE
5024	WINWORD.EXE
4124	WINWORD.EXE
4228	WINWORD.EXE
5208	WINWORD.EXE
5512	WINWORD.EXE
5824	WINWORD.EXE
6392	WINWORD.EXE
5832	WINWORD.EXE
6756	WINWORD.EXE
7004	WINWORD.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1648	mspaint.exe
2984	mspaint.exe
1816	mspaint.exe
2608	wordpad.exe
2608	wordpad.exe
2788	WINWORD.EXE
2420	wordpad.exe
2420	wordpad.exe
1648	mspaint.exe
2984	mspaint.exe
1816	mspaint.exe
2608	wordpad.exe
2420	wordpad.exe
2060	wordpad.exe
2060	wordpad.exe
2060	wordpad.exe
2788	WINWORD.EXE
1648	mspaint.exe
1648	mspaint.exe
2984	mspaint.exe
2984	mspaint.exe
1816	mspaint.exe
1816	mspaint.exe
284	mspaint.exe
2612	WINWORD.EXE
284	mspaint.exe
556	wordpad.exe
556	wordpad.exe
556	wordpad.exe
2612	WINWORD.EXE
284	mspaint.exe
284	mspaint.exe
2204	mspaint.exe
2204	mspaint.exe
1692	wordpad.exe
1692	wordpad.exe
1692	wordpad.exe
2204	mspaint.exe
2204	mspaint.exe
2724	mspaint.exe
2608	wordpad.exe
2608	wordpad.exe
2420	wordpad.exe
2420	wordpad.exe
2724	mspaint.exe
2812	wordpad.exe
2060	wordpad.exe
2060	wordpad.exe
2812	wordpad.exe
2812	wordpad.exe
2724	mspaint.exe
2724	mspaint.exe
2280	mspaint.exe
556	wordpad.exe
556	wordpad.exe
2280	mspaint.exe
1988	wordpad.exe
1988	wordpad.exe
3056	WINWORD.EXE
1988	wordpad.exe
2124	mspaint.exe
2280	mspaint.exe
3056	WINWORD.EXE
2280	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2512	1984	cmd.exe	31
PID 1984 wrote to memory of 2512	1984	cmd.exe	31
PID 1984 wrote to memory of 2512	1984	cmd.exe	31
PID 1984 wrote to memory of 2788	1984	cmd.exe	33
PID 1984 wrote to memory of 2788	1984	cmd.exe	33
PID 1984 wrote to memory of 2788	1984	cmd.exe	33
PID 1984 wrote to memory of 2788	1984	cmd.exe	33
PID 1984 wrote to memory of 1648	1984	cmd.exe	34
PID 1984 wrote to memory of 1648	1984	cmd.exe	34
PID 1984 wrote to memory of 1648	1984	cmd.exe	34
PID 1984 wrote to memory of 2744	1984	cmd.exe	35
PID 1984 wrote to memory of 2744	1984	cmd.exe	35
PID 1984 wrote to memory of 2744	1984	cmd.exe	35
PID 1984 wrote to memory of 2088	1984	cmd.exe	36
PID 1984 wrote to memory of 2088	1984	cmd.exe	36
PID 1984 wrote to memory of 2088	1984	cmd.exe	36
PID 1984 wrote to memory of 2188	1984	cmd.exe	37
PID 1984 wrote to memory of 2188	1984	cmd.exe	37
PID 1984 wrote to memory of 2188	1984	cmd.exe	37
PID 1984 wrote to memory of 2256	1984	cmd.exe	38
PID 1984 wrote to memory of 2256	1984	cmd.exe	38
PID 1984 wrote to memory of 2256	1984	cmd.exe	38
PID 1984 wrote to memory of 2832	1984	cmd.exe	39
PID 1984 wrote to memory of 2832	1984	cmd.exe	39
PID 1984 wrote to memory of 2832	1984	cmd.exe	39
PID 1984 wrote to memory of 2848	1984	cmd.exe	40
PID 1984 wrote to memory of 2848	1984	cmd.exe	40
PID 1984 wrote to memory of 2848	1984	cmd.exe	40
PID 1984 wrote to memory of 2852	1984	cmd.exe	41
PID 1984 wrote to memory of 2852	1984	cmd.exe	41
PID 1984 wrote to memory of 2852	1984	cmd.exe	41
PID 1984 wrote to memory of 2612	1984	cmd.exe	42
PID 1984 wrote to memory of 2612	1984	cmd.exe	42
PID 1984 wrote to memory of 2612	1984	cmd.exe	42
PID 1984 wrote to memory of 2612	1984	cmd.exe	42
PID 1984 wrote to memory of 2984	1984	cmd.exe	44
PID 1984 wrote to memory of 2984	1984	cmd.exe	44
PID 1984 wrote to memory of 2984	1984	cmd.exe	44
PID 1984 wrote to memory of 2872	1984	cmd.exe	45
PID 1984 wrote to memory of 2872	1984	cmd.exe	45
PID 1984 wrote to memory of 2872	1984	cmd.exe	45
PID 1984 wrote to memory of 2876	1984	cmd.exe	46
PID 1984 wrote to memory of 2876	1984	cmd.exe	46
PID 1984 wrote to memory of 2876	1984	cmd.exe	46
PID 1984 wrote to memory of 2936	1984	cmd.exe	48
PID 1984 wrote to memory of 2936	1984	cmd.exe	48
PID 1984 wrote to memory of 2936	1984	cmd.exe	48
PID 1984 wrote to memory of 2628	1984	cmd.exe	49
PID 1984 wrote to memory of 2628	1984	cmd.exe	49
PID 1984 wrote to memory of 2628	1984	cmd.exe	49
PID 1984 wrote to memory of 1796	1984	cmd.exe	50
PID 1984 wrote to memory of 1796	1984	cmd.exe	50
PID 1984 wrote to memory of 1796	1984	cmd.exe	50
PID 1984 wrote to memory of 2880	1984	cmd.exe	51
PID 1984 wrote to memory of 2880	1984	cmd.exe	51
PID 1984 wrote to memory of 2880	1984	cmd.exe	51
PID 1984 wrote to memory of 2856	1984	cmd.exe	52
PID 1984 wrote to memory of 2856	1984	cmd.exe	52
PID 1984 wrote to memory of 2856	1984	cmd.exe	52
PID 2088 wrote to memory of 2608	2088	write.exe	53
PID 2088 wrote to memory of 2608	2088	write.exe	53
PID 2088 wrote to memory of 2608	2088	write.exe	53
PID 1984 wrote to memory of 3056	1984	cmd.exe	54
PID 1984 wrote to memory of 3056	1984	cmd.exe	54

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RapidReset.bat"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2788
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1648
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2744
- C:\Windows\system32\write.exe
  write
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2608
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2608 -s 464
      4⤵
      PID:8860
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe" /restart 75ec2c60-f9fd-4114-b599-58227976f8d0
        5⤵
        Drops file in Windows directory
        
        PID:9544
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2188
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2256
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2832
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2612
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:4240
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2872
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2876
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2420
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2420 -s 536
      4⤵
      PID:2572
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2936
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2628
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:1796
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2792
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2672
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2060
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2060 -s 468
      4⤵
      PID:6840
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:1688
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2780
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:1704
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:340
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:284
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:916
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:1364
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:556
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 556 -s 540
      4⤵
      PID:9788
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:1788
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:956
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2364
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2912
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2204
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2308
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:1760
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1692
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2056
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1580
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:1556
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2764
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2636
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2180
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2812
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2796
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2824
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2436
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:1028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2084
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2280
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1360
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2004
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1988
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:688
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1992
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:908
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:1044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2144
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2124
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2120
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2756
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2892
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1556
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2268
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1820
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:1584
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1760
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2332
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2836
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2836 -s 464
      4⤵
      PID:9028
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2080
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2876
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2088
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2740
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:2824
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2332
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:1992
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3116
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2088
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3128
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3140
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3296
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:3304
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3320
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3336
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3412
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3368
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3424
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3436
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3608
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:3624
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3632
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3648
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3720
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3676
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3732
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3748
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3924
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:3932
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3948
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3964
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3996
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4052
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4068
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3384
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:3392
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3420
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3532
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3480
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3580
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3436
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3700
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3920
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:3736
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3960
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3856
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3864
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3748
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4024
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3652
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:3900
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3284
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4104
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4220
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4112
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4120
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4136
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4408
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:4432
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4440
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4448
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4576
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4456
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4464
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4480
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4720
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4740
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4760
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4768
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4876
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4776
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4788
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4804
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5024
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5036
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5060
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5068
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5076
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5084
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5100
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4124
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4644
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4652
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4696
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4672
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4704
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4712
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3288
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4228
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4108
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4336
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2648
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4768
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3340
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4052
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4392
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5208
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5232
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5240
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5252
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5360
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5260
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5268
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5284
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5512
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5536
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5544
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5556
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5668
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5564
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5572
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5588
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5824
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5836
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5864
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5872
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5992
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5880
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5892
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5912
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:6140
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5012
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5192
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5200
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5460
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4712
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5144
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4772
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5888
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 796
    3⤵
    - Process spawned suspicious child process
    PID:9240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 784
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:9300
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5944
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5576
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5560
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5896
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6048
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6068
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6108
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5832
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4464
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6140
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5584
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6236
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5300
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5448
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6148
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6164
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:6392
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6420
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6436
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6448
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6592
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6456
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6468
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6488
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6508
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:6756
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6788
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6800
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6812
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6932
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 6932 -s 448
      4⤵
      PID:9932
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6820
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6828
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6844
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6868
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:7080
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7092
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7116
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7124
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6348
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7136
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7144
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7160
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:4424
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 784
    3⤵
    - Process spawned suspicious child process
    PID:9780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 772
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:9776
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4748
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4868
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5048
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:620
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4808
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2684
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2520
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6636
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:5984
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:5912
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5288
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6896
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4788
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5664
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5848
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6908
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6968
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6244
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6232
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6988
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6768
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6204
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6296
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4212
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6480
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1348
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:7008
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7052
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6308
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2104
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6356
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6152
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5448
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6448
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6412
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5956
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5916
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5524
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7252
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4560
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7164
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7172
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7192
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:7420
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 776
    3⤵
    - Process spawned suspicious child process
    PID:10228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7420 -s 764
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:5984
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:7448
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7456
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7464
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7592
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7472
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7484
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7500
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7520
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:7748
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:7772
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7784
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7792
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7916
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 7916 -s 456
      4⤵
      PID:8804
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7800
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7812
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7832
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7852
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8088
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:8116
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8128
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8136
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5176
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8144
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8152
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8172
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6452
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  PID:7004
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:7660
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7676
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7684
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7488
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7708
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7716
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7736
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7868
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:6104
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:7332
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8000
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7812
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7172
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 7172 -s 492
      4⤵
      PID:5404
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7248
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7552
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7244
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8068
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7684
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7160
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8204
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8320
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8212
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8224
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8244
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8260
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8488
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:8520
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8528
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8536
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8668
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 8668 -s 492
      4⤵
      PID:6376
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8548
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8560
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8580
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8604
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8824
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:8876
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8884
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8892
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9004
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 9004 -s 504
      4⤵
      PID:9684
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8904
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8912
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8932
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8952
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:9180
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 384
    3⤵
    - Process spawned suspicious child process
    - System Location Discovery: System Language Discovery
    PID:9100
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 404
    3⤵
    - Process spawned suspicious child process
    PID:9260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9180 -s 360
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:9368
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:9212
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7564
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6152
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8616
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 8616 -s 392
      4⤵
      PID:9252
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4840
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7984
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8296
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8340
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8640
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 384
    3⤵
    - Process spawned suspicious child process
    - System Location Discovery: System Language Discovery
    PID:9528
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 404
    3⤵
    - Process spawned suspicious child process
    PID:9600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8640 -s 360
    3⤵
    - Process spawned unexpected child process
    - Program crash
    PID:8752
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:8540
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8984
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9068
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9088
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 9088 -s 456
      4⤵
      PID:8584
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9104
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8720
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9140
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9164
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:6184
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:4280
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8480
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8724
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8840
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7812
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2572
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6368
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9360
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:9392
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9400
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9408
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9552
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9416
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9432
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9440
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9460
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9752
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9784
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9792
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9800
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9808
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9816
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9832
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9856
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:10008
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:10020
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10028
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10044
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10184
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:10052
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10068
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10076
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:10084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10092
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9300
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:3268
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9424
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9416
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9456
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9472
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9492
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9280
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9076
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9832
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7996
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9360
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9864
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9856
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4392
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9096
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8208
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8236
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9916
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5220
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7616
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7884
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5008
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7652
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:4284
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:10152
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8312
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8508
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8248
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10156
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8536
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:1624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9388
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8980
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8756
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9144
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6296
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9764
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9772
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8492
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8816
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9492
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9276
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10180
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10132
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9288
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10072
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10044
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9496
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9788
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:6840
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9596
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7996
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8616
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9832
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9168
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9584
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9392
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9972
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6908
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5152
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2604
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8820
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7936
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8676
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10164
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:10052
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:5492
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5052
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10060
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7316
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:10004
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7700
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4416
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8396
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:6844
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:2324
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9264
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7324
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9708
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5200
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9460
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2304
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10132
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1664
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:9248
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9740
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8176
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8660
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9176
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7628
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10140
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9744
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:8024
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7400
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7768
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5172
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10004
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6364
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9704
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:9452
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:8756
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3000
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9788
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6640
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8104
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10176
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:7972
- - C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
    "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 388
    3⤵
    - Process spawned suspicious child process
    PID:7928
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7308
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7312
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8120
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9924
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8680
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8016
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7660
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7792
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:7468
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:9828
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3424
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7688
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10004
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4360
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8540
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7368
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9288
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:6924
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6696
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9276
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:936
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8836
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6680
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4280
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9936
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8088
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:4304
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7904
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:940
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5872
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7644
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7648
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9648
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:3356
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8656
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8864
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4284
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7332
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9052
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8584
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:10060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8576
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7832
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5156
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6104
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7980
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7772
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8524
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5428
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:5624
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8472
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9188
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7400
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9060
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:780
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9292
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:3848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10184
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:4864
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6680
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7884
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10128
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6844
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7688
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2524
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8208
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:4900
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9536
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5316
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7900
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6000
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9864
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7648
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:7792
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6952
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10136
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4696
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7764
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8656
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8076
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6712
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:8992
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8104
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8688
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9120
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9212
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9968
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8004
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7776
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5692
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9936
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2816
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8852
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10100
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9716
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:9768
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7232
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8644
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5724
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7660
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2304
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8092
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6680
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:8064
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8520
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4996
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10064
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8536
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9436
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9444
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6676
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9884
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7956
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7796
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7740
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7756
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8768
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8680
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:8048
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7368
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4484
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7484
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9704
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10144
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8104
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9120
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:7428
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:996
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4620
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8300
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9232
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:2340
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2412
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8024
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:2884
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:4836
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10188
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3240
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7404
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10020
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8356
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6696
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:4392
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:2324
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2600
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7464
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9720
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8208
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8452
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8520
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:816
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7900
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7468
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7644
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6664
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8412
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7648
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7956
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:7992
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:10148
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7604
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4080
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4280
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8868
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8664
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6712
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9512
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:10184
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9872
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6840
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5392
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8116
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10056
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10052
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8840
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8064
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8176
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8744
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7400
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8524
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1920
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4836
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:10188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:2524
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6376
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9796
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7688
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:936
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9664
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8624
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8316
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:6000
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:2820
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2840
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9620
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7900
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7644
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7648
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6664
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:10136
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:4608
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9248
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7072
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8872
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8584
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4948
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6880
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:7300
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5684
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9488
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7288
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6404
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4620
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10056
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:7652
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8024
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5252
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9716
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8072
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8176
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9292
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:6680
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6308
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4364
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6844
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3192
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6376
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7688
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:8676
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6276
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7792
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9620
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7468
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7900
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7648
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8412
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:5420
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8872
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8584
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:4948
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6732
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8576
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:3800
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:10184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8804
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:9872
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9948
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10048
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6404
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4620
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10056
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9936
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8064
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:9292
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  PID:8524
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2524
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5984
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2324
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3240
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7904
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9932
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6308
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:9328
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7448
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6276
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7792
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9620
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7900
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7644
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8816
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:9768
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:2196
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9908
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9512
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8856
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8812
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7796
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8852
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:4620
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:10056
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9936
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8300
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2020
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8064
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:2412
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8024
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:5048
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9280
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9268
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9356
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7464
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:940
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5316
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7884
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:4388
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9864
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10152
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6944
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6664
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8816
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5984
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:7668
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:2196
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9512
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8008
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8856
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8812
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8860
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8852
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:8840
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:1520
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6628
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9676
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:2608
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7312
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5252
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:9268
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9356
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10100
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7464
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:940
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5316
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7848
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9292
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:8980
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9664
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10064
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9992
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8964
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6644
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10060
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7072
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
  2⤵
  PID:9120

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK

Filesize
1KB

MD5
187a93c3d6430e8751141be8edf28484

SHA1
a1eb21cee233b09811815214ed8be03050c723cd

SHA256
9eb2e9af316600b165ea3a266ca741a77dfc8119b0f1da9e05855ab80e4a94d9

SHA512
a7b21723e4b440636a320ca441f9ce5261146839f41ab0ebbc1ca8df1fa4af3b18dfa6b52215edc4046b7ef25df94668076a5e04bd01fac5398e87fd42410e18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
299B

MD5
86e1b582f752e8d9cde528806b6518d9

SHA1
536afe45bdd68bef6b785e3aa1d29bbd7f266ba6

SHA256
716d52e57b66e2d3dcfe84a9d5c607dd2fd962158a6e23ff3b0d6526f614e3dc

SHA512
6feb2e43535794f77eae80789ba00660426d151ee591646ddbd444e082503cf4d3c568305f0dd8a95b760d65104eea5e0f6a02d42c173e15b3f80e6821a5e36f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
299B

MD5
07caf47b6bd42141ef6ce4ffa62416fd

SHA1
fdbaf76980e4b610cb7c492e1e589b63e0bd1e5b

SHA256
dc5d8366305c2cad9163f3629e8a49c28bb7b5a639862be1e92724978f1d67c3

SHA512
2f81ee33e6f646926f4411e11c10e06ac9036ad2db7afca488c048f211d1f0bb91b33e8177ae34e08ff12cf1f599dae2af70609037bb7ab1468da43aa1eb5a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
299B

MD5
aadff68169b48e76d6567ca8c3db1e21

SHA1
ea5530467c0f746e771e47ea777b30feadbe60c7

SHA256
96a66ab3c362c6313963c512b7a1fd77fc8c299f8bdc16b88e7f61d03a9e84ab

SHA512
f9ce7057dd3993fd2f15d5109a6a323882ab3db929890a92d0eaa13fdff7dfb89d5aab6bbe9b0779990d6d0d8b24a0000611a77b5db9fc6cfaf1886beaeed1db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
320B

MD5
d6a9d7385f3581b6b6cdb09da20c477f

SHA1
4fd239bfc3d51e95af6dec3b6c3cc17a71d3069a

SHA256
75ce7d67990da12c19d85cd2c448c712d485b13627aaedc98296e8ab5709b50e

SHA512
6573d2734d393d812cfca2864b5b0ecabbf01e7ea2c7b2b723fa56baecb322f1575ea97374b4ae394eda099f2b4a304b5aa71c8bbd21d14b73e182ea19adf18e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
320B

MD5
5394d8630b29a95f6c5a60ac89371770

SHA1
c0c24ca393ac37a5c34f3a62d2f6786cf38a707b

SHA256
1bcf6c8ec99b3a625ad3c7f0852042879e7dc8f5d1f74bacefdd5ca14c15a9e3

SHA512
835ca3e23a22f65e3e1ea4e3eb62eb5edae5563e219ec12986d4389b9beb6ca10bdc916636c3437ab40026d4b0984f377c81d6ca9263dfad3736b1be4be44216

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
320B

MD5
40935864cddc90de719c33105ebaae68

SHA1
21cbd65c0655ed700e0290d759786aeedf65318e

SHA256
8825eefc2e3f4ca1e067a6cbe3227b06cddc65581c8303f4eea1d8f4ad840965

SHA512
4fcbbd1bf626031fe0de15df91c4fec624a0df9c61cb9a76bc29c148bc0e56712ed41f288c31fdcff1ba821b9078d3c6d60f1f17c57b99b84696c13a74a0b720

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
320B

MD5
6fea6ca051bd92e1be97cc96d617584a

SHA1
72b88f58f42bb17178c1c354d2c9fbd44e248fff

SHA256
a52f57ab3209dab88e106c1bd18adfcd4ee2f51000831d1183c570f3968a649f

SHA512
0ffaef789f393d16a38fb866c6700c708ec22b64b340f82a331bdbba7d302614491b22b0966f972a78e40580cccf8d65fea3566fed04507d0bfa346ceff64e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
341B

MD5
931dcd903ca2deaac4b5e8232d02ec50

SHA1
111ee7206f4e814621990037fc27d6a35d381458

SHA256
7feca5833b31537d8cbd93630fe29bc254dd2286656bb193cd92e3630aa23144

SHA512
622ae92962be87337c26759bb39f2a422227f12d82dae1bc5d1bbdc3b8d7afd62f6578ec509ff22e3f92746b5bad0956926f5c47d7db7d79b395970058b0a639

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
172c74fdafa4c6b96b2c950be5403f53

SHA1
824d5d5cd8fb228038fd83314e48994c47d949b3

SHA256
636b226915dfe13f154a62e162353f748ebadee931793b7390b853f2f4a2137f

SHA512
53ea4c37b6b5234d7ee98f6107b79c5d2129f008c7aabff2cc09544d7328e1b9ed45b6f5a768acefda135edbb7aa9963350f76665f98bf79d7e385ee8ffdf353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
661e6bf351f78c02c5fb8aca5a5ec0c5

SHA1
44696af392cf7342e17814c908972e109571a7f1

SHA256
42b49586ddd614f9efc0a472dc4021333bedfdc496da638946428d5fd74ee33a

SHA512
49f7116ef61768dd0463d0209f0b4d8f8840e50415602ec066992cafab531149e1b3e5cde5b90b98faa70ab8ec12d866d74887146d33fa07470d5d99df9f0bea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
31a3128b3b4ae6a9870be2851fa7ce3a

SHA1
d611604c9f08731254244c1cf409132bdec58f62

SHA256
09fef61178a66036796c961fb5221ca1b265ebed1aa8d8de3c46edaa29a60417

SHA512
942989974daabe4e0702e11fb8fd41d2dbfbcedcb22a96b2e3e7d47c76331a6077b59ae6fbafb42792a9dae0c99d2ae6d4b7db7af19d6e2f5f3284cd0e0e7d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
49dd22e18174da421ef5c120ea2925a0

SHA1
9f3b99c057ad1bc213a654958a942cf0f956bfc8

SHA256
7535bcde62568552c0ab30e2359719964ae6b07be9ebe38c784101b60710e56e

SHA512
9767c64e645ab00283d0a32dd7c7bb4d2b8d5b3da9c8700fb69ae86bcdc4c3809237cc18ae34ca8119069956f8d3f9c21786fa1367f4cdc1a7c35cec72a4a030

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
8f2065f7af1a9d3b30d2c34fcad7157c

SHA1
74fc1cb5c4e066cc11f79135c3a48f033b0770cf

SHA256
90557b985704d03f770a7e3aaea045ba80cf5729ca99eee705ff951404520c42

SHA512
39411bdc46a16381f97355a67634cf57959afd81f0ce507680b210af614b9e8866eddb9e1a2ea9905588199c2d30837ef56873d6a098ba268048892d0a8a4e17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
e7578d32c6e7fe8b6f5af9c3d209ee1e

SHA1
7c2c5d7e2d255ac9118249b87cf713bf5678f2cf

SHA256
caf485b774455353c56bb7a79d42dd1545fd9a469ebdae6f5fc1cda746c8bd31

SHA512
6f772d053c94d63d0136f6b5914a5aeeda32159708c8685f3cd283241a5e0a5c57e16a1043631ec0c48d9fa9deee7864c5218dc54a6c3f2cfdb39dc46f05c7d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
362B

MD5
a97105d18ba12822a69f001d5ed443e5

SHA1
4b5f363c97c7316e8ef848442a0bc7de470c641e

SHA256
c96e4c4d09b328c76653053c07c67178adce0b5993e1895ccec95a3d78a75b93

SHA512
6ca519ee0000832449f5a0df4e8018415138237d65bcfea7b5a2abd0bda529cf7c80c80441a1f45c44633dd6f783917b4372306cf756b3836f436ac16495faa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
278B

MD5
51478b1adb84cc2f2262f55753123315

SHA1
c132ef452767dd358cd8907fc1a66196bce2c222

SHA256
e9fedf6085baac8fe3d47d6b6116125022b4bccb36c0f60f8ef499c5af2d9391

SHA512
429854562f0bf0b940af8fdd5702314caaf78fe32b2268fac67d78948ff2efcbe02520263307d086bc09f5db7cde2b1eb7b4bc3692113fe468f86cbf6c16483c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\wordpad.INI

Filesize
193B

MD5
72f2d357120f95c1e725c22915fe95e1

SHA1
2dc88926e0f7d12f4eebce672a865e1d43237da1

SHA256
aa99b989a67fcd5a7503102752c8b2ed339ec3011d437fcfbedb1c53ee7d639f

SHA512
534fc6dd52c3ace8576f8a74e2211836ab15ef5b22323c370406d6b9a85ab528601df797e4105f6924224f172048772a56c4d376adb58c8035f6151629fae89b

Download Submit
memory/284-64-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/284-455-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1584-505-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1584-135-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1648-423-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1648-47-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1816-440-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1816-49-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2124-123-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2124-499-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2204-456-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2204-78-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2280-107-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2280-488-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2724-472-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2724-92-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2788-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-19-0x000000002F0D1000-0x000000002F0D2000-memory.dmp

Filesize
4KB

Download
memory/2824-151-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2824-521-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2984-439-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2984-48-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3268-789-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3304-165-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3304-537-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3392-586-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3392-214-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3624-554-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3624-180-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3736-229-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3736-601-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3900-243-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3900-617-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3932-570-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3932-195-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4108-317-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4108-667-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4280-721-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4432-257-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4432-619-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4464-408-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4464-719-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4644-302-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4644-651-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4740-272-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4740-634-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4748-474-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4748-770-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5012-378-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5012-701-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5036-636-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5036-287-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5232-332-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5232-669-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5492-917-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5536-347-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5536-684-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5836-363-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5836-686-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5912-787-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5912-776-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5912-489-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5944-712-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5944-393-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5956-538-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5956-823-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6244-506-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6244-788-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6420-737-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6420-424-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6788-739-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6788-441-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6840-887-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7008-522-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7008-805-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7092-754-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7092-457-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7332-620-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7448-848-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7448-555-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7660-915-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7660-603-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7684-637-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7772-571-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7772-876-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/8116-587-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/8116-886-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/8488-769-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/8520-653-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/8540-771-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/8540-703-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/8876-670-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/9212-755-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/9212-687-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/9392-804-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/9392-740-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/10020-834-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/10020-772-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download