e3b1216c43afbc251bbafc1c5a510933d175769b3f88b6315a31e1c8aa6c1940

Resubmissions

02-02-2025 04:31

250202-e5h8wsxlbr 10

20-11-2024 23:06

241120-23pzzswdpp 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RapidReset.bat
Size

562B
MD5

585007258473e92250845840fcdd7efa
SHA1

f741877750f8b11be85bb9bafacb651456c1d085
SHA256

e3b1216c43afbc251bbafc1c5a510933d175769b3f88b6315a31e1c8aa6c1940
SHA512

da8d912a30b979d06878d4a511a6dc7dc0c82f7cca8f99b618fc0a095de61023d6c9c7b71a922abeff32eadf6e1344c4c79f73858364da7217beeb3c5fe63047

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4100	WINWORD.EXE
4100	WINWORD.EXE
2052	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2708	mspaint.exe
2708	mspaint.exe
2232	mspaint.exe
2232	mspaint.exe
4296	mspaint.exe
4296	mspaint.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2052	explorer.exe
Token: SeCreatePagefilePrivilege	2052	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	explorer.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2708	mspaint.exe
4100	WINWORD.EXE
4100	WINWORD.EXE
640	wordpad.exe
640	wordpad.exe
640	wordpad.exe
4100	WINWORD.EXE
640	wordpad.exe
640	wordpad.exe
4100	WINWORD.EXE
2708	mspaint.exe
2708	mspaint.exe
2708	mspaint.exe
2232	mspaint.exe
2232	mspaint.exe
2232	mspaint.exe
2232	mspaint.exe
2804	wordpad.exe
2804	wordpad.exe
2804	wordpad.exe
4296	mspaint.exe
2804	wordpad.exe
2804	wordpad.exe
4296	mspaint.exe
4296	mspaint.exe
4296	mspaint.exe
1444	wordpad.exe
1444	wordpad.exe
1444	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4136	2820	cmd.exe	86
PID 2820 wrote to memory of 4136	2820	cmd.exe	86
PID 2820 wrote to memory of 4100	2820	cmd.exe	88
PID 2820 wrote to memory of 4100	2820	cmd.exe	88
PID 2820 wrote to memory of 2708	2820	cmd.exe	90
PID 2820 wrote to memory of 2708	2820	cmd.exe	90
PID 2820 wrote to memory of 1756	2820	cmd.exe	91
PID 2820 wrote to memory of 1756	2820	cmd.exe	91
PID 2820 wrote to memory of 2632	2820	cmd.exe	92
PID 2820 wrote to memory of 2632	2820	cmd.exe	92
PID 2820 wrote to memory of 3472	2820	cmd.exe	93
PID 2820 wrote to memory of 3472	2820	cmd.exe	93
PID 2820 wrote to memory of 1484	2820	cmd.exe	94
PID 2820 wrote to memory of 1484	2820	cmd.exe	94
PID 2632 wrote to memory of 640	2632	write.exe	96
PID 2632 wrote to memory of 640	2632	write.exe	96
PID 2820 wrote to memory of 3892	2820	cmd.exe	98
PID 2820 wrote to memory of 3892	2820	cmd.exe	98
PID 2820 wrote to memory of 1844	2820	cmd.exe	390
PID 2820 wrote to memory of 1844	2820	cmd.exe	390
PID 2820 wrote to memory of 4112	2820	cmd.exe	104
PID 2820 wrote to memory of 4112	2820	cmd.exe	104
PID 2820 wrote to memory of 5004	2820	cmd.exe	106
PID 2820 wrote to memory of 5004	2820	cmd.exe	106
PID 2820 wrote to memory of 2232	2820	cmd.exe	107
PID 2820 wrote to memory of 2232	2820	cmd.exe	107
PID 2820 wrote to memory of 3980	2820	cmd.exe	108
PID 2820 wrote to memory of 3980	2820	cmd.exe	108
PID 2820 wrote to memory of 4080	2820	cmd.exe	109
PID 2820 wrote to memory of 4080	2820	cmd.exe	109
PID 2820 wrote to memory of 1032	2820	cmd.exe	110
PID 2820 wrote to memory of 1032	2820	cmd.exe	110
PID 2820 wrote to memory of 5024	2820	cmd.exe	111
PID 2820 wrote to memory of 5024	2820	cmd.exe	111
PID 2820 wrote to memory of 5036	2820	cmd.exe	112
PID 2820 wrote to memory of 5036	2820	cmd.exe	112
PID 2820 wrote to memory of 2380	2820	cmd.exe	113
PID 2820 wrote to memory of 2380	2820	cmd.exe	113
PID 2820 wrote to memory of 4976	2820	cmd.exe	114
PID 2820 wrote to memory of 4976	2820	cmd.exe	114
PID 2820 wrote to memory of 3304	2820	cmd.exe	232
PID 2820 wrote to memory of 3304	2820	cmd.exe	232
PID 4080 wrote to memory of 2804	4080	write.exe	119
PID 4080 wrote to memory of 2804	4080	write.exe	119
PID 2820 wrote to memory of 4296	2820	cmd.exe	187
PID 2820 wrote to memory of 4296	2820	cmd.exe	187
PID 2820 wrote to memory of 4276	2820	cmd.exe	123
PID 2820 wrote to memory of 4276	2820	cmd.exe	123
PID 2820 wrote to memory of 2624	2820	cmd.exe	228
PID 2820 wrote to memory of 2624	2820	cmd.exe	228
PID 2820 wrote to memory of 1588	2820	cmd.exe	125
PID 2820 wrote to memory of 1588	2820	cmd.exe	125
PID 2820 wrote to memory of 5108	2820	cmd.exe	126
PID 2820 wrote to memory of 5108	2820	cmd.exe	126
PID 2820 wrote to memory of 4628	2820	cmd.exe	127
PID 2820 wrote to memory of 4628	2820	cmd.exe	127
PID 2820 wrote to memory of 1816	2820	cmd.exe	128
PID 2820 wrote to memory of 1816	2820	cmd.exe	128
PID 2820 wrote to memory of 1468	2820	cmd.exe	130
PID 2820 wrote to memory of 1468	2820	cmd.exe	130
PID 2624 wrote to memory of 1444	2624	write.exe	133
PID 2624 wrote to memory of 1444	2624	write.exe	133
PID 2820 wrote to memory of 2916	2820	cmd.exe	135
PID 2820 wrote to memory of 2916	2820	cmd.exe	135

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RapidReset.bat"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4136
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4100
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1756
- C:\Windows\system32\write.exe
  write
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:640
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3472
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:1484
- C:\Windows\system32\control.exe
  control
  2⤵
  - Modifies registry class
  PID:3892
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:1844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4112
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:5004
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3980
- C:\Windows\system32\write.exe
  write
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2804
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:1032
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:5024
- C:\Windows\system32\control.exe
  control
  2⤵
  - Modifies registry class
  PID:5036
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4976
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:3304
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4296
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4276
- C:\Windows\system32\write.exe
  write
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1444
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:1588
- C:\Windows\explorer.exe
  explorer
  2⤵
  - Modifies registry class
  PID:5108
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4628
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1468
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:2916
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:4568
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:1396
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:468
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5124
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4972
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3760
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5028
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:60
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1852
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:5332
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5416
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5560
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5640
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5716
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5652
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5744
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5752
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5780
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:5860
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5876
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5884
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5908
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3100
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5928
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5936
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5948
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:752
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:5280
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:2272
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5184
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5348
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5304
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5360
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5284
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5288
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4592
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4296
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:556
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5112
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5588
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5676
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5440
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3580
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6060
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5960
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5760
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:5948
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5424
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5868
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6000
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6132
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:1864
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3692
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4400
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5240
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:5764
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5744
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3764
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2024
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5292
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5152
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5284
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5676
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:4760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5804
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:1628
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:2624
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5532
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5748
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6188
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4844
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3304
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6228
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6288
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6340
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:6368
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6560
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6576
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6588
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6724
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6596
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6780
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6792
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7036
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:7084
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:1628
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6272
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6292
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6468
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6372
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6624
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6644
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:1672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6376
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:6856
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6828
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:2284
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5196
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6480
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6280
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:440
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4760
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6820
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:6996
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6900
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6588
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:2680
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7124
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6616
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6732
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7212
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7384
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:7412
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7432
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7536
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7544
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7792
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7564
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7600
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7616
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7660
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:7852
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8016
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8024
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8032
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7004
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8040
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8052
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8064
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8084
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:6784
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7512
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7516
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7440
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7600
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7412
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6940
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7292
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7680
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:7456
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8120
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:4760
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8108
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7716
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7832
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7352
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7992
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6860
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:8096
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:6840
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:7340
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7960
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8288
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:6808
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7940
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7924
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7696
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:8368
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8384
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8392
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8400
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9012
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8412
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8420
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8432
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8448
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:8564
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8596
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8604
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8612
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9132
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8632
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8648
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8664
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8684
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:8880
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5140
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8196
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3344
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7496
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3512
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:1844
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7780
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1684
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:2964
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9020
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8580
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8680
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8320
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9164
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7808
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:8900
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:8612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9208
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:8884
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8984
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3936
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:8168
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8324
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:8840
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:8240
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4624
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8444
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:7276
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7808
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:8832
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9300
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9420
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:9312
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9508
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9604
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9796
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:9896
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9952
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10032
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10048
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10192
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:10100
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10168
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10228
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2840
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:9408
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:1772
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9620
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:9560
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10008
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3388
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9760
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:4320
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:9988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10052
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:3004
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:10228
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:9140
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5728
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4412
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:5732
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9304
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:776
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5944
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:4364
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:924
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:5432
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:5592
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3656
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:4860
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:5072
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3056
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:2224
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5236
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10296
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10308
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10596
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:10352
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10376
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:10388
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:10396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10412
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:10476
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:10716
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10808
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10836
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10956
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:10860
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:10948
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11088
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:11244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10324
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:10648
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:5576
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10528
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:10792
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10948
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:4636
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:5056
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:456
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:6432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10856
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:6348
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:10512
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6952
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11260
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5156
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:7444
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:6440
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6800
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:11108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7764
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:3436
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:7576
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6524
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:7596
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11276
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:11064
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:7088
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:6904
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:7280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11364
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:11444
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:11528
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11608
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11620
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11700
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:11652
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11716
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11752
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:11804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11892
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:11932
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:11944
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11952
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:11960
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:12248
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:11972
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:11988
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11996
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:12012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12036
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:12076
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:8856
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:3800
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:6848
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7364
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:11488
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3196
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:11600
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:2900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11824
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:11716
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:12028
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:12180
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:12196
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9264
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:12136
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:9116
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:12244
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:12108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12256
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:12076
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:11816
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:11564
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:12184
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:11108
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:12096
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:12064
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:7596
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11600
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:8100
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:9964
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:10124
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:12348
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:12972
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:12356
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:12396
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:12404
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:12416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12484
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:12868
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:12988
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:13040
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:13080
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2900
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:13088
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:13096
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:13136
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:13296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12204
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:2912
- C:\Windows\system32\mspaint.exe
  mspaint //open paint
  2⤵
  PID:228
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  PID:6888
- C:\Windows\system32\write.exe
  write
  2⤵
  PID:3916
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  cmd //open command prompt
  2⤵
  PID:3236
- C:\Windows\explorer.exe
  explorer
  2⤵
  PID:3172
- C:\Windows\system32\control.exe
  control
  2⤵
  PID:9736
- C:\Windows\system32\calc.exe
  calc // open calculator
  2⤵
  PID:5252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10224
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1568

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6984

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3744

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDCC81.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
bb4f48356382860b078fd59609432549

SHA1
e419fa5bf5bc1790e217ccb2dc3967c413a929c2

SHA256
2b5df64ab8c19c73d43a685f3f312cca17aa7abdec944050127814296f80d1ad

SHA512
add2958f20821d9d1418c14b67202cf231c6c89aa32ea0bed3a6373e197498bf24fe285fb656349c1a432aa7b31cbea29eed9567921593084307da338dcd27d7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
6b97978b77feb046e4462252f8605204

SHA1
d5abfe2ed550953d5694c733c0a96b11bf0835a3

SHA256
5feb94a98b1b630d0ba4ccaed7e5e49e484ec7e9436d24c1a7430b2f8703bd74

SHA512
773aa9b40609b6136ef3b7053785dd56589c2cfb546c50412d47c122a89e2bea984ac6f48491e2e87a2f26cab9c3cf4151ea72141b24c5ec5bfd91e176f46677

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
a090fcd27c4bcf451d5b46ae3fd5cb18

SHA1
e7d90f7e7bbbf583e6e4722a8312c698fb569107

SHA256
3feb8954ca47655dba5b1778a599aa17a9229c5ce38d1c4b954dd5d0805c1da2

SHA512
5cbb8f69db2e4776cdfdab165951fdb5693d40bce38c2b3f68868aab50d1711c5668776cc08c258370dd2013e86c17ac2010f7f9fc4c473a3fd8092aa1fe293d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
17KB

MD5
4878ad14f2b25e47bcb4b8d39dfbd543

SHA1
2c814d2d63ecc9db9159f3f7770f7bd87c206f9f

SHA256
ba5f2092cdad3cc3b1d608043c320d9a162cccbfcbf6b568d6deaf7358152d1b

SHA512
1e384926d9f5510d97a057183d26ebafc66ff96e7facfd28d60e706e7d4e1c558d3fc90b0e76945d5eb3c14af84e1f25aeb62632d6701a10ba5722734a4db2e7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
4e3635d5b35fb49ca10eccf923e2d409

SHA1
4cdf1aacc8b62841860590432046d47489cb4374

SHA256
185e0951747280488beef801d09cc5a3d6a3ae189485212246a0b41aba3a4a2f

SHA512
0a9f2d2c81c5cf27edf34320e70fadeac3569212948021de46d2f67df2fe98032e66e55d6c4fe95bb7829f9874459ae37ecd5aaeb0364e2321af5c71d375243b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
20KB

MD5
4ab17156e48bb8ee69869553d618043c

SHA1
c8ab5176138984162e7ce1d52b58c479b8521c79

SHA256
e60f38cd0c4f540e5f7d7a7389122e0f1e6e0c92d44dbfa8a22fcc34cd4db8f4

SHA512
6d08b47bfe6929d42b63e0a4d3a847ee05fb254f1bc82b35cc72febe95e37fac42a7f6c1225988558ec4ffdcb73229d62d082517244c75e2ea98551c18af0c8b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
ce6764c4d330828be82889c41e3a6bd9

SHA1
34314601a3a059b2d0b02ace4f84190168a212db

SHA256
8774815d3c02a4c9b7e7c0932a9feaef55ba96f4239fd5582b6e992602cb5790

SHA512
f551ad67260d07522dbc79931dc2fd2a93cc455182c3825ff4ab1eea4ad89d992ccf9374249557f0dbf9906ea6ddbea2522076c71fcb18ea41a4cf7890cccff7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
23KB

MD5
c78095602a818e07405899c1ad0fd988

SHA1
ab2a3a0a09f222ed0e17c9b2d351ee94c3ef1a2a

SHA256
63904471263e193a5edd3f8625a61f6c95db73271cdf6f5165bc0f136134e3bd

SHA512
dc191d1c85eea8f6469fb4ef97cc8eaf5806e684d72ccf3ee1ee232df73954e939c40e70a6aad22efb3d016858da9ac140891c95965be92cc2ddc5f4eaf96e29

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
5f1cebd948c62aa910d641f2021296a1

SHA1
e518c9651f237f8b9783522bf59f88106bdb9730

SHA256
5bcc8d01b479a6f09fa8c0506f32a0f5fd973848e06a9eb227384946134e13a6

SHA512
ab0fcadaf5f7e714f475c2ebbd200bfc1c0a3f6b72519cfa4de9ec05bc24e90058318371462b48ac14eeec50b4fe3b16d9624f0c9a9c0f0952037d79a67f44cd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
26KB

MD5
b6edbbbfa25ca8804a908d0c03add50a

SHA1
67f3846aae41b2df83e647d70b7500881f89e59d

SHA256
7428288fb823753ab0629cd1c3d90804e5ef06511b1c4cab08c53b9cb81b1bf9

SHA512
5a8ad91229e1a4578f1ed041a0591104b5e54562787092c2df3ee8610d72047b65252162438e62a365f4a87eb26feb82e33bcda320feb67c5d3281e730aaa26e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
45a90579eb05968061af31b477e4a583

SHA1
5376e02e2782becdcdb9213683683571e2754b27

SHA256
131e5e5802af7723858f993204c6a616a12d915592e0fd384c6f402f09e1eac7

SHA512
92c0ed2412a090a7886973a25bd05a1a0109462189a277663e600923a0a1eeb3dd39b0ce031b1abff1d150546161eafb84d623638331397a76666477e0b3c018

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
29KB

MD5
389fea00104dc2e94b5755f84cafd8f8

SHA1
93cdb05f0f15ee0120bb5ad1da6766fe72762a03

SHA256
d82bb168eec1c05d809cb2a262c0244d9f5dc87ee0f8db9b28e39c8ef08dc218

SHA512
2e7fd350c8355efa46c99640f7e5f322f302cc59e86c44a0b2f71eb98c7c82868a115c9fcd037e0113dd59cb80f1fb710db1217a6b4f02da0ff5c89c4755e358

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
bd5867a3e30f52b17723604ecf251af9

SHA1
44a12cc9b25b9869d4e452252054faa8d1407220

SHA256
3d7eb754f12c953084c790bee2162b3c4e7106f38c89c9a8b693a931aaf4eef2

SHA512
588e319dd5f9c6b839eb56d46d3e15253499ce6ec4c8d854222a5c11c5e07f36990fc7a4b4f2bcf9ad99d3cd412881e53736176abf5ed5b2684055f1f57cfe39

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
c1dde7a3c7469a1c052d176bb032595e

SHA1
ee286fb6d58b5a37a9de62f27675d1047aec4616

SHA256
98cb5a999d4fbbaeba21710cbf3907e1de15ed09683064e2f309a5dc7cce61f8

SHA512
c20948d1ae266fdb42c41f002396642eed3e50dc1c5533ed314370680cb9f3f6ce4ba55b3b908a5a3a1a48b513cf2ab0d3752f5eba95eb38906c329b8f7c373d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
32KB

MD5
a9165f0893defab4232d224dfbafa7bb

SHA1
3dae4a8d97932031e0def305991aa084a445cabd

SHA256
32d1cdbf001e7aaaf87e0e2822e6cafe7e74465a6f0ba9b11b0cb28f93e020b3

SHA512
96d7638d8b1c02a06be94a2ace73471086f7db06643ebdf8ce3ae76a3aac771e3510617926c91fe37a1a152682267475aa414f1c6365ce81c8c0e276320c3937

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
ca7b648e53e49c33c91842265c7228e3

SHA1
32c0c20651985e53eb082152b591553341363237

SHA256
5e432f77e7a0361fdbdb473080b548976818780c24d0229c4658c4175ac7a155

SHA512
42641d502d5fb1c3ea88f8439d725006861527975ce456e38317da9061b3d129bb4c33c8aee8980ea74209f90fab48c13556a622da9d9d5b67471b12b66e005b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
35KB

MD5
0899a03adc3b4b8d11b4ca3fc42fca4d

SHA1
dd650f7288b1623e3ee1b8c547112638f2a61886

SHA256
5ab595b0b22a1b03e97507c3a81a03b925cbc7b7e42a60cf9787a29ea8268a0e

SHA512
9b525c648dd3254e02def9135298b357e4a6b98bc11c60296f683cd4950c580779a12fdab8ec8643792961bb6a1b17bb5a799e2485609af08fae8e1c7eb05452

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
38KB

MD5
e19b14ebc800432b4b50daa2651c637f

SHA1
f4a8afec613e66cef2f2c7d67f8cc1ed50844153

SHA256
f003bd78249f5c0a20630d18db1d000af9044f080c8c756adee418e67c32bf35

SHA512
bb89196c32348598a17f989a424aadabadab2b3741ea9c7ed3a3f9f06eafa43cab62e05118bf0c64ab655a78e063fc1d60d518e46b694d0802d2b6ba1a91ab15

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
39KB

MD5
a4972d92bb3ffa3f249bf6bd8bed7ae2

SHA1
560310478741d8f4cfa3402e0c69e8e489041c58

SHA256
582e610757bf03d9e945195e3292d9d53ccbb8998a520d45582f9752470b7baf

SHA512
1ab5e114f54472db73715bfeee2881104c17fbc784d395fa8b62a5553528612ce94e06c5ac7049dad69d214c6117d5704f7bf278b4e16ee4b6f96ec44b12011a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
41KB

MD5
6b5be9a464f54fff2bd4bd28a59a8889

SHA1
8c898923dc345ee065c27aedaa34ddb98e1c035a

SHA256
ee434d88d5ce2b6ab958be2b47f5474b932892d762080bfbb11bdc80e2f377a3

SHA512
3646b98e718114bfb4fd88064ee6418c45790a36b0afbd5ce81c51ce76e992a458a5e8b29ca51b37f1336fba31b1019c93758c598ede7d3edd84c62b100d89fe

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
5b8e57710b0e749a29fca0ed77735f16

SHA1
caf9730b582071ce3320c8fb80ced8a0e63d80b0

SHA256
6641f01530c42e0f45d3921b1be9b034680d286c2a3a5b9213e2dcaf210feb19

SHA512
b8b8ddccc044e21ee71d7c13eb07c27d21daa5f9eef9f0573d90faa91d462f8793bb3896314462e00775322b28a55b84419e6fc9726d0028e32fd0294d2c36d3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
44KB

MD5
ab21d1bb442c165f45a154dd19d3cc76

SHA1
30c2090d57673987cd560436efb5fbfbfdab3823

SHA256
29d1a6f91bb62c5e19877eac5b5421eae721b46d7c40aab837745b02f326a957

SHA512
ef78d7261859aaa24f31a36f5ea43f5448131e8c18c72a20fa58f96cad975e039ca09eb1a850580e567a861272883870176d46366bf27e531727b6f132830744

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
2238d7ce6f7ad7867018210ef1ebda7c

SHA1
3d106a71049eac9dd133e45015e88faac89181c3

SHA256
a10ebad90610bf63b760348e9e920ce72d909848b0bb55252ee4fbaa91a115f5

SHA512
4d7bd2c8c086257325949d2ef0c5cc27ee7686e01808bf9aef2e2087509b2401b65f663b44412457debd02e3b9df5868fb328f23d22a9e719b693dc6f331d606

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
45KB

MD5
1ffbf7b3b941f1b0e309ad57f562b88b

SHA1
1918ac4d81081afa920c663ed3c6a3555fbc8cff

SHA256
b9b59e29c35bfe2b0cc671bb35a961130e1014c5988d80b0e58c2f9fd33270f9

SHA512
83627b69836bb8c0399184ac700e5c4438660a05c3e9d000dc1786b68a3894e41ad54f1bc7fb4364ca73bd503137783a910f60b8e1e6fc10181b5b8fff8bb25f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
47KB

MD5
ea79e1cd30c5299edd5294bf6928391d

SHA1
bf363e133c90a1690b406879f9ceedc198921d9b

SHA256
dc12331b8dcdd21c5e5702ba8475830a766f93591a351a9753b6417f83bcd7c7

SHA512
c3310fdb185c1f49b4c7074551e55d5007147eb255ee6bbd5078cc63605e6f6532b7468d8d9c585a177fa7aee7f1f81e8a13eaae9b6887451d47d6cdfdb1893b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
49KB

MD5
4157b8a679d23e931054719fe930e4a9

SHA1
5232c8bfbfc1dd94f5f27d79f9d58dd7161dd9dc

SHA256
ce1dec13089243213ae414183d6982f6b5195d222cecb36182514bedc7064134

SHA512
d92d59d095ba95a6610b01b60a5cbcb9641e4370d405c3e14dc9f78f04ace8b90ec92ab20aac48f87576de87546d050540474a7db5e7e6f9676ba37dc4178a47

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
50KB

MD5
1bd2b649a572b25d4ed70bad680fcc83

SHA1
6f2071a5271af341f08f019f1fd8b1747b272848

SHA256
63d9a6686a0a89d49060f931c49422aad7a9596d5015418ca7269044872711ca

SHA512
57d2dc9e22942e63453edcc5156fa2c2653ba1bc126016075ac8688b67f485ac49f70a6742eab1ff4f2232c091d25facb00e798e64bd0ee756be5cb209df33a6

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
52KB

MD5
54c4d03b4f7061c95a4297998531405e

SHA1
7a2405a918cc394a42b17ca2c8ab90d36995f63b

SHA256
8ec493bb87a54fb358b6f002f44f56c8413fe3bf39ee5669c6fd356cbbf83f9e

SHA512
1dc3aeb4c375aca1bee127816479b14cbc8499efc1d8890a71ff9251fa1bd8c0c9dc839b62cb14d0d76ed4b9d1fa52609f3735ef5115c4738ef8ec602d3bc632

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
53KB

MD5
a08ba83d6880def9e80cd481026afb61

SHA1
f5eaba1f41d2e03187676b264b5fc0736fe53dce

SHA256
8e22e11b60e4126dbe51dae16f468d9f370099a03c128bdd92d44cd044adb51a

SHA512
c44690e48fc0431866222d8de31d7926475f3c1e68c7e8ca9c93285e9cd689c6605d7df97f1cbd338368b348e5b1bbaaf94b345b6cd0ff4903e5f67d3f56afc9

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
55KB

MD5
1127d6ca02a753dbdce5f0833d21d908

SHA1
d6564cfbf1d5d7b93128f3743e26601008addfff

SHA256
919bbd9dbdfa9ce248a522b7628a222f4a1026181d7a5d1a2b9f250b2629f138

SHA512
fcb130a4fefda7be8c338b8c551e0789aa8cc71a1a8c8b663e41b409fbc0593392b25fbf69881e15f38d3612f7461fae948392ad0e1554b3df419f435ba5223f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
56KB

MD5
df54dab3267341a6d8590425f679bfd4

SHA1
d4d036eec78ad41b4a2bb9943839a1232a4456a2

SHA256
d3ecabb290440535cb2bf5f616f0ffd6af11464b8a348e33d85c6b94b6544059

SHA512
aa88965f2068cb1ff569303b5f552e584b2190cb09df0717fcd398a4e93048a7cfca6b45aad735c13749fbd4dbd233a6f8c85f31bb51916667b91069a1fc5cdb

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
58KB

MD5
4d2fa202e00991b68fead30d28bd6ab3

SHA1
64ba37df1f57e9b04b0c1354da5f75ec2eb9d037

SHA256
e10e2a039e2766d51fa8552a34e67c3aae18cbba987f3e266f0d17f99d1afe17

SHA512
f72a13430718b6836b417894c058f97deb45bfb22e5f930e0ea0ee1d16add7c8d31155fb90847500b8308ce7120d1c6af981cec93296773bf844d849a44d8114

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
59KB

MD5
9ca4d0b5c97d7604b2985df962fa91aa

SHA1
4e73b5bc06e87283117eb12ff114e60be2cd844c

SHA256
058b56c246ae194474816bfd73dda0f72ab068874a66372e33dc1631d12611cc

SHA512
e78042238628119f74ba838061baa872558f0e59ba9d1829c0377258d2a5b51fd463cfa48bc6c49783f27e1e398856a83515e27b487ab28bb01e90aeb686d04a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
61KB

MD5
22e5d22f12da53c70ae3ef6e96141a76

SHA1
8779afc4d3169960ac60a8680764a653c4a7ae6f

SHA256
55827aa54bf308354d96e61af90fd401fb9b5f5357f283c583205f1295fc2fb1

SHA512
cc844c13a58844e4a3b3cffeb1843d010bd43f4e2ae1ff166689ceb60fddac79a4ff4a88cccbcc0cf44936e9955180cd7021c03b25325a6dd1d57342259bc685

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
62KB

MD5
e27ea687d3b53fccdf7661ae720ea02f

SHA1
b3acf83e80593fa5733669d349f68884c00d75d0

SHA256
d7313a8706024b9d67f60c9ffec448e6e87e5ad1c1c71cbb4ab43a40ddefd410

SHA512
3b948f17a546d74a3b343bb7536f26cee780c05fadf531678304aba63e7e5c9b1c0f6475436b8c3758204e147e60b609ee36bb9d33d0034cc4faaab32cda09af

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
5c6d90b0e2cd61708b039110d34c4ec5

SHA1
e96901958618872e4705ed45368da8796b63d863

SHA256
e94673f75181d1deb46b5aacd6052549053c4d63c421b6db6dbbe23d976bddb2

SHA512
5940dc1015fc64440c4b32e4e1d3eb263f8e75599073601c4e8c5c64e4d12354b50213c8ff480c1e2c804d1b889f6f869a1674d5d23627380e2da4ff865115b0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
64KB

MD5
d17cdc002c2fbc9b90655fe7ef93b422

SHA1
1adfb09726637245dd26c7e92c551d08355cb221

SHA256
cf7b74908dcef2120665ee2d7c38ee81b7fbe88552c4ccced7bf3381159e74a0

SHA512
d03a2f626e34d95054c2fe20f42a2361b14ae6d27ed25c5c76ff0ba41e34730905fd44c0296e8633c7ce777faf188e8e1730d544274964c8e23d3e1a91bcab69

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
65KB

MD5
0752c49942d5e90e4256b3c12555facb

SHA1
db11ce6d06f26745fe7e1531d1408954427a24b7

SHA256
3cb38a886a378c95c787ecf0ac9a56a3459d266e929670b721212810da492fcb

SHA512
4420292d5d2628ee2c6848f97e2f81b766a9c16ebf15cb6009e5c635372c94dd869d1b8330289882d1bbb45eee6db1b646ed2a74309db3ea6094c835c0d9ce6a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
67KB

MD5
19983e52a3d6b66b657fe4c99328ff66

SHA1
d4ecd03d3915b96a49f16f9faf0950b936d1aaa5

SHA256
6b0801e60544cea4c49c8fecf646bb48af70077536e4f6079bad17ab4fbb695c

SHA512
ef905abb60c83336410fe3b49d9c50043520c728af7a1ca1b384fa3e15536b660dda26fe8b2402018e301615f73cd912131510993e5db83c3f4b68c2bb4a6d4d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
fc5b27035335b6b9d187672e2fd10194

SHA1
35acf12112f520dc3b60afbad9752339e4480574

SHA256
6940c52a965ce7bf124d2099a816bf5e1bfd92c326e8434c22976fc73d217dc9

SHA512
61e2a91c64d2b980e9184a0e8f9e57d1118ced45bcc00daea41fa32fbb1f47bf0f557004a13ef24560f168a9cfcbe6f8cdf369d76b5602211cc096deef802c5c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
efc696a624a6b58ee3c9288abb0e0d6b

SHA1
6f4bc54bc5160b681dcd29efda3838df7b3ac27d

SHA256
2d383f441c0e09a0ff200af59163c67ca601d828773129624cf6b3259ab88d1e

SHA512
51b636af47dc5f2916e5562af132fcbba0695fe2912eb73e691bf8d36fdfd3f2616c4aa36b04a6530eb21ccda8b3865ed25a605414c791361e0b33cd7aa74246

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
14KB

MD5
ad4391da1a7d3eef9d79752cdcd383ec

SHA1
f4cc20f962a94f5581b4684555fd36606f0a79d7

SHA256
ec1e725e479625e1bd523f018f4a28cd7685f52361c4225fd51b1704811ba268

SHA512
23facbb865b458eb1b761cd0325ec0cfc54db1f4e53445d7cba61d1ca76708ecf3f4f00df994340215e0a75bdc271c89d64fecdd5dca3af7832202b9d7913ace

Download Submit
memory/4100-2-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/4100-0-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/4100-6-0x00007FFBEB8B0000-0x00007FFBEB8C0000-memory.dmp

Filesize
64KB

Download
memory/4100-3-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/4100-1-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/4100-4-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/4100-5-0x00007FFBEB8B0000-0x00007FFBEB8C0000-memory.dmp

Filesize
64KB

Download
memory/5004-22-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/5004-23-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/5004-24-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download
memory/5004-21-0x00007FFBED910000-0x00007FFBED920000-memory.dmp

Filesize
64KB

Download