6b4c85a2d6160f48777fb4e7686f4b6b7317aed176d523ff5e1446e2c3aabbc5

Analysis

max time kernel
129s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 07:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

virus.ps1
Size

358B
MD5

97106846c4aab8db3e7527f257420ef8
SHA1

9b4e8af3823595f86b49181b8795c133fa87567e
SHA256

6b4c85a2d6160f48777fb4e7686f4b6b7317aed176d523ff5e1446e2c3aabbc5
SHA512

13563f052edb270f75412e76dd64bfa704af941e3efee4d34b9a776459bea01d569d4707581d00e572a7ac295a39ad4d5899b9c792ca4a93eb2821f6acecf2da

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4376	powershell.exe
4376	powershell.exe
4416	mspaint.exe
4416	mspaint.exe
1768	mspaint.exe
1768	mspaint.exe
3608	mspaint.exe
2104	mspaint.exe
3608	mspaint.exe
2104	mspaint.exe
4192	mspaint.exe
4192	mspaint.exe
2132	mspaint.exe
2132	mspaint.exe
4896	mspaint.exe
4896	mspaint.exe
3388	mspaint.exe
3388	mspaint.exe
5100	mspaint.exe
5100	mspaint.exe
5024	mspaint.exe
5024	mspaint.exe
5080	mspaint.exe
5080	mspaint.exe
2004	mspaint.exe
2004	mspaint.exe
452	mspaint.exe
452	mspaint.exe
3692	mspaint.exe
3692	mspaint.exe
4440	mspaint.exe
4440	mspaint.exe
2792	mspaint.exe
2792	mspaint.exe
2492	mspaint.exe
2492	mspaint.exe
2272	mspaint.exe
2272	mspaint.exe
5012	mspaint.exe
5012	mspaint.exe
5212	mspaint.exe
5212	mspaint.exe
5336	mspaint.exe
5336	mspaint.exe
5412	mspaint.exe
5412	mspaint.exe
5500	mspaint.exe
5500	mspaint.exe
5544	mspaint.exe
5544	mspaint.exe
5648	mspaint.exe
5648	mspaint.exe
5724	mspaint.exe
5724	mspaint.exe
5816	mspaint.exe
5816	mspaint.exe
5912	mspaint.exe
5912	mspaint.exe
5992	mspaint.exe
5992	mspaint.exe
6064	mspaint.exe
6064	mspaint.exe
6140	mspaint.exe
6140	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe
6828	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4416	mspaint.exe
4416	mspaint.exe
4416	mspaint.exe
4416	mspaint.exe
1768	mspaint.exe
2104	mspaint.exe
3608	mspaint.exe
4192	mspaint.exe
1768	mspaint.exe
1768	mspaint.exe
1768	mspaint.exe
3608	mspaint.exe
3608	mspaint.exe
3608	mspaint.exe
2104	mspaint.exe
2104	mspaint.exe
2104	mspaint.exe
4192	mspaint.exe
4192	mspaint.exe
4192	mspaint.exe
2132	mspaint.exe
2132	mspaint.exe
2132	mspaint.exe
2132	mspaint.exe
4896	mspaint.exe
4896	mspaint.exe
4896	mspaint.exe
4896	mspaint.exe
3388	mspaint.exe
3388	mspaint.exe
3388	mspaint.exe
3388	mspaint.exe
5100	mspaint.exe
5024	mspaint.exe
5080	mspaint.exe
2004	mspaint.exe
5100	mspaint.exe
5024	mspaint.exe
5024	mspaint.exe
5024	mspaint.exe
5100	mspaint.exe
5100	mspaint.exe
452	mspaint.exe
5080	mspaint.exe
5080	mspaint.exe
5080	mspaint.exe
2004	mspaint.exe
2004	mspaint.exe
2004	mspaint.exe
452	mspaint.exe
452	mspaint.exe
452	mspaint.exe
3692	mspaint.exe
3692	mspaint.exe
3692	mspaint.exe
3692	mspaint.exe
4440	mspaint.exe
4440	mspaint.exe
4440	mspaint.exe
4440	mspaint.exe
2792	mspaint.exe
2792	mspaint.exe
2792	mspaint.exe
2792	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1836	4376	powershell.exe	86
PID 4376 wrote to memory of 1836	4376	powershell.exe	86
PID 4376 wrote to memory of 4416	4376	powershell.exe	87
PID 4376 wrote to memory of 4416	4376	powershell.exe	87
PID 4376 wrote to memory of 1648	4376	powershell.exe	91
PID 4376 wrote to memory of 1648	4376	powershell.exe	91
PID 4376 wrote to memory of 1768	4376	powershell.exe	92
PID 4376 wrote to memory of 1768	4376	powershell.exe	92
PID 4376 wrote to memory of 4540	4376	powershell.exe	93
PID 4376 wrote to memory of 4540	4376	powershell.exe	93
PID 4376 wrote to memory of 3608	4376	powershell.exe	94
PID 4376 wrote to memory of 3608	4376	powershell.exe	94
PID 4376 wrote to memory of 2488	4376	powershell.exe	95
PID 4376 wrote to memory of 2488	4376	powershell.exe	95
PID 4376 wrote to memory of 2104	4376	powershell.exe	96
PID 4376 wrote to memory of 2104	4376	powershell.exe	96
PID 4376 wrote to memory of 2428	4376	powershell.exe	97
PID 4376 wrote to memory of 2428	4376	powershell.exe	97
PID 4376 wrote to memory of 4192	4376	powershell.exe	98
PID 4376 wrote to memory of 4192	4376	powershell.exe	98
PID 4376 wrote to memory of 1276	4376	powershell.exe	99
PID 4376 wrote to memory of 1276	4376	powershell.exe	99
PID 4376 wrote to memory of 2132	4376	powershell.exe	100
PID 4376 wrote to memory of 2132	4376	powershell.exe	100
PID 4376 wrote to memory of 5020	4376	powershell.exe	101
PID 4376 wrote to memory of 5020	4376	powershell.exe	101
PID 4376 wrote to memory of 4896	4376	powershell.exe	102
PID 4376 wrote to memory of 4896	4376	powershell.exe	102
PID 4376 wrote to memory of 3028	4376	powershell.exe	104
PID 4376 wrote to memory of 3028	4376	powershell.exe	104
PID 4376 wrote to memory of 3388	4376	powershell.exe	105
PID 4376 wrote to memory of 3388	4376	powershell.exe	105
PID 4376 wrote to memory of 4600	4376	powershell.exe	106
PID 4376 wrote to memory of 4600	4376	powershell.exe	106
PID 4376 wrote to memory of 5100	4376	powershell.exe	107
PID 4376 wrote to memory of 5100	4376	powershell.exe	107
PID 4376 wrote to memory of 4852	4376	powershell.exe	108
PID 4376 wrote to memory of 4852	4376	powershell.exe	108
PID 4376 wrote to memory of 5024	4376	powershell.exe	109
PID 4376 wrote to memory of 5024	4376	powershell.exe	109
PID 4376 wrote to memory of 1288	4376	powershell.exe	110
PID 4376 wrote to memory of 1288	4376	powershell.exe	110
PID 4376 wrote to memory of 5080	4376	powershell.exe	111
PID 4376 wrote to memory of 5080	4376	powershell.exe	111
PID 4376 wrote to memory of 3304	4376	powershell.exe	112
PID 4376 wrote to memory of 3304	4376	powershell.exe	112
PID 4376 wrote to memory of 2004	4376	powershell.exe	113
PID 4376 wrote to memory of 2004	4376	powershell.exe	113
PID 4376 wrote to memory of 2412	4376	powershell.exe	115
PID 4376 wrote to memory of 2412	4376	powershell.exe	115
PID 4376 wrote to memory of 452	4376	powershell.exe	116
PID 4376 wrote to memory of 452	4376	powershell.exe	116
PID 4376 wrote to memory of 2308	4376	powershell.exe	118
PID 4376 wrote to memory of 2308	4376	powershell.exe	118
PID 4376 wrote to memory of 3692	4376	powershell.exe	119
PID 4376 wrote to memory of 3692	4376	powershell.exe	119
PID 4376 wrote to memory of 4316	4376	powershell.exe	121
PID 4376 wrote to memory of 4316	4376	powershell.exe	121
PID 4376 wrote to memory of 4440	4376	powershell.exe	122
PID 4376 wrote to memory of 4440	4376	powershell.exe	122
PID 4376 wrote to memory of 2784	4376	powershell.exe	123
PID 4376 wrote to memory of 2784	4376	powershell.exe	123
PID 4376 wrote to memory of 2792	4376	powershell.exe	124
PID 4376 wrote to memory of 2792	4376	powershell.exe	124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\virus.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1836
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4416
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1648
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1768
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4540
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3608
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2488
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2428
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4192
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1276
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5020
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4896
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3028
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3388
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4600
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5100
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4852
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5024
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:1288
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5080
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3304
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2004
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2412
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:452
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2308
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3692
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4316
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4440
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2784
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2628
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:2796
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:3928
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5204
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5212
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5328
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5336
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5404
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5412
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5492
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5500
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5536
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5544
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5640
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5648
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5716
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5724
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5808
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5816
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5904
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5912
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5984
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5992
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6056
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6064
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6132
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6140
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:4908
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:5196
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:5476
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:5776
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6172
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6180
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6284
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6292
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  PID:6448
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  PID:6460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff817946f8,0x7fff81794708,0x7fff81794718
  2⤵
  PID:6908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,1605606955067350561,10119851290124671226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:7116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,1605606955067350561,10119851290124671226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  PID:7124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,1605606955067350561,10119851290124671226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:6160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,1605606955067350561,10119851290124671226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,1605606955067350561,10119851290124671226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,1605606955067350561,10119851290124671226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:6984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,1605606955067350561,10119851290124671226,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:5276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e95d45b99ee46b05441be74a152f3af8

SHA1
76adb523ca3943c8eeb4793a7daaa1f27cbab7d4

SHA256
435d76228edca3be83910f980b82f508e25541918fc3d7c4278a77307c880fb0

SHA512
35ec6bb16d0aba61622e6c9c8d1d4823b8d3e13644ab0b849cace25e0ed2adcf3cd98f6e7e7a24be8c64e360ea3be71523ed12d3c061d88eaa24276bfd91da80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d9da931f98579d9af12b0cddeea667a

SHA1
5f02b023ce6b879af428b39ce9573f2343ef4771

SHA256
ae100e49b8a80ae8b977141fca8c9d0b35112f92af89ebe4dc5dbf2b1311fff0

SHA512
bd338bf14893d2c2f529eb0542b6b82e2beed5614d449c4147a87067f6ba1ff8d7bb178ad56d7b1491acd9d08d5bac5d1906160cf14998a13957117967a28680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2140e018d23ce0042c6e900d7060537

SHA1
24ca110b85d2bd3b7652a77a7e9bad9813e48d26

SHA256
10065a52147d28ca08215e550717f053c3864fb43383fd1c0209872dbdfaa5fb

SHA512
32d4400eebdd197ce3f0a581f5bab032177a724e23645f94f1d3697967a3515611d8bd464c3ffce76f59954e5ca918d07f3bd5a3582eb8d9818a63089e1194bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54f48475fa92555ce38d960c9bf2fd07

SHA1
766b4fabdf1c6dea20931cef13cf23483ca5c53b

SHA256
5425c84911fcfc13e9b291f53299cba22e6bb69c48f49c84ebab92e434007fa0

SHA512
8392b0d45d171c185d11f456c04a3bacfd71fe9b600d9d2b8fd3e45b60e03a42fd9568031302d0dbe5922859a7debf8d3c529c43a6a1bd7dcb81b1110c031944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
576e83c1432aa0b2a97b98e1e603ee45

SHA1
b8ac02412b03cf249f4943bbd85ebbd85f3a8889

SHA256
a14ba96dfa9b38b9981de1b12529c08bc3e884cb7ecae60f6a3c5418dafd736e

SHA512
3c763bdcccfdf9415cbec63269cf3d88666ed9231143cb002f813ebbcf0d8e2d21d87e179c37bd9f2d35dd0abfe8b9f018ba81c2e1b01699cfc5a8d6f9139266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
03bf7f04e603d01e8fe10cbb45aa1b7d

SHA1
14858f4c26f58dc2d9dd2e2df8a1d51f88dc832d

SHA256
0a84f7501989206ead9d7418f14b2d36132522d8adf9e2a3d2756029b9cf9173

SHA512
85d3f039ee10086e31e4e4134261507c0027b55aa01edbbe825f90657ee48e8242ce4a874ef7b1e8824f8f71e38c9a7ddb9be70dbfb7c1f3cc36a9d75de11c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gz1dyyfy.pcc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
957b8d2b9582b95d07765dcf8fca1748

SHA1
0536959113c0ae4f4db62119e5373fe8f6b7fd98

SHA256
3e00a2a930b5cb73efb7fc1b012def5b271794a037ed0bb84357c6e48472a581

SHA512
7ac708b454d55e46aa1e738d17352fcef58968d8b149e84322b8c4ebad68ef2cfc7d4c77ee22e949ece4f7dfc768ab69c3237189c866808f3f618dc6ed891e7a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
785e47cbd7f944d730a0677a4af90585

SHA1
4a8b0e491fd62ed93be95fd919084c9b9556e13e

SHA256
14ea09d4587ef2fcdf27007fc3ecd7b96b53d6951eba75494d1adb62536710af

SHA512
fa7ff11fa514ec53334c9dcb06f789e5ec90c9867a06e1019705cf1cdfd29dafb65f19cf7781523c5d10dd3eefbb7375c8e921b6798be2b799f0cab3fa71a25c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
b49fd250fb5bfefa752868da20db3276

SHA1
3fffcaf88e5d7f5882bf27586b3d605014a968c1

SHA256
f41b664939d5c3ce9c5da54f3bb2b7bd63ce99efaa5f714f9e5d488dc65fcc1b

SHA512
94422f9b7a3188c419438bb69606e2cb1abec8d706b8d04cef94a92b7dce62cc10cf9fb4da09e951d868ceeea12648fa9273733927d10e914a8779400c76715b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
638f1a9759df3f9efe589565e030e858

SHA1
b8b49c4cc3c055ab0f6a5bcd05e59fdee95f5395

SHA256
44d5e495a5195874ae10cf5212ca0ec6e2e85efb98f3b72c3824b10ab83f4cb2

SHA512
cd15c823e6a5a1a035b0270d32e964658319da5f234322b6121c778860165e051d821ae46ed332d46d12bebdf454e9b69eb312a809a78b4ecb9bf845a93e95ad

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
80b94fcd130353970d24dc4e9170b49a

SHA1
a06da599ce0989a91eb52d6c1fc3297b8703b112

SHA256
fb218d0accd5bd20a89af5623b7f64b3153d5937f36e263a4747ff7596197520

SHA512
4b70bc5e81fca2d90fbb7b11052a844eda0e576fcfc181c3212aab62d99d17c0ec5c75aa5b97fc1b6c156a99e3d2696398230013816b406db943d537d5485d23

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
bdb974c9a315b2ee7381754dc6d5a4ce

SHA1
a9656ff9bef77fd4c38029de7507620aea69b1bc

SHA256
2974f681f86ed160b340384358e63f9a887b5d02adeb7d284900f12c3fecbf95

SHA512
77777fa34a61eb8e64740f4c0e3a43bb676ce89824ce6933e5fa6fe128326261cff5992dd9c4984b2871180a87a6644c7e4efc500996f32835f19d73ff6e921a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
8b4a452175bae8145bdd6214ad01039a

SHA1
b9d401dc1f2b3970a6f4e32035473eb11ea900fa

SHA256
1fcb84196048bd723468a50dffc753ec4eae67c293548c43ba5bc3ffab908496

SHA512
3a896448d2450d3f2f74ebece729ab0962fbd34a1dc20da7a1d56f6e9c388a1b31e0ec9f0ab4a20b73474d53ab9ed4e5a92628026b166e62042028eab019f370

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
80fd66ad11af3baffa65bbe9468fe33d

SHA1
167ba7b51904d384330c4cabb57416ea4fd7fa87

SHA256
c8b3b6bbe3fd9d4b27f6fc3b2d2d8936dd9982afc91e2a055f52f62a2b66a95d

SHA512
b06b87152c1f3fb646a6aaa50cdd1d4dfaac21409b5c8be53a863c24f03b2efee99158d45f0c2bcbf777cd2156aec83a3684b1308d856939f730086f5eb64777

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
19KB

MD5
5c1387cecd57b8f53df5affefe81f383

SHA1
fff3500d3131640ef116b1f361e222c51f0d0dfc

SHA256
c0eba12f5fe229ecc57ca0d19cbe5438ab0e2efdaedc606bcd2f70cd214bd031

SHA512
45f0d722c87426253f55a2e9b4a6553bcfed783f923d0efb76b0ea821db6a9baf660f45cf8c91380032b649e64f31a9637e9081dc6f2048df785ce90365b5e7f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
35105cead4358e2927b7d4a4e1dcfba3

SHA1
b929bc84b09e9b36efca81d378e6de6f6a002af0

SHA256
6c0bd64265683c48cb1840a318ea1f7e0fc306daca1d9548e785b84da165486c

SHA512
7411ad3ff7c1208a42fe13b16145718b310fef153749cba525b4fae10a5d54beefa4639ab459a2d90e4a3ee25348533a4903d96c284a1dfeaeac3d10f79cef27

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
22KB

MD5
e5636ab88a4f9214bb79a64014c17ece

SHA1
c5382d769af72bda05b6b2f76e28725dbae7fa34

SHA256
bf4864f2989a8427abb7ab71341328e562ae63fbffec44f32c7781889a89b870

SHA512
c8a5e8344cbc30c9b3aa06f1ce11d4df54283a725b9bd6fffa4a7ffde8a9a9243b2ee2165dd24d22cb63e2b1fc9ea1e7431df1ddd8f334b184c8c644db846a52

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
ffebbeadf3a1550de4caa4283f718e1a

SHA1
ec7ae5ef114d40c5d5547d4c6d99120baf18d21f

SHA256
c87efb0b237b176af412ad299e4c1b1711b97fd73bdb8232a124a630877f9f72

SHA512
533c3fb7b7b82e6687ce48dcc7a42e8571330099f4d623860469265270cbfad09c324b0aa6a351be0ec8ad0e0dc6b12ffb15c162286889040be82beba3f4a349

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
41a8531e9fc69c96ca8d9715c6b61061

SHA1
163e2f1a913c4ed54d6455426a655de9a7dd6f68

SHA256
5c17641ed12e8592ac228d3206c8be3aa04ca0a77b9d6ba570fc8fb2b51f6c24

SHA512
045c609b96d7205e0112f5e1eeeece2052a67cf66b55fec5647812c6132fbe0b6b4154126ff52ce72b3d27ae9549ea8ab1a7c7128a51d6335e559390bc22ae16

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
925769c26509eadd6084c19bb4b4d658

SHA1
0df9d0a894dfd287e2a6360aca18855c6ff8c412

SHA256
f7ad0dd172bf97d18c24058b2b277c01b134b382547a2222f12d5fe57d4e3b8d

SHA512
6c677640443b019d7908df90c01a2ba79ab1be3e1d0bee8980c6f5de54ec93580a6b443bf218e73b0391a13fa76c30ab94924b0b1e61dfbdb27625959971a1d7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
28KB

MD5
2cd0497b4edad7156f01d3309ff3b319

SHA1
44fba3b80ac05c3aa9683c6cf779628c43e9577c

SHA256
eb5801dc74f46beb97b3ac9865363d949d4f37338ef068cffedbf67268205d62

SHA512
bfcb2d7f74e6db7857f11d74494b56e6c61299013ddd4eb0536619928f0d52f00c898d1de4d21324d3b296507e3a960a0bae6275252065bb92a99d8dc1b2dc3b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
09b946048b6c335713976744c90a397c

SHA1
4b5728d98ef264f1d3bbac3cf0a3d4f063ed1d1d

SHA256
d920728fc48cd31fb669e3c6da4f209d88518510fb3c8283b592d63f89e3a796

SHA512
dd40479707220a3526dc33f87cc419d73e49dd4f6dbcb069dc477af2a0e85374eaf28e596078f959a1531460cdd9c009e90e462fc1aef26e0e023b444da8e91d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
189789942e8f048f189defa60a7f011e

SHA1
ad51938a2702a24c42844502fbe303887c624039

SHA256
3000d36b7c9bf4b83231f953f26e13a636c6f4543600be3dd45a90aac3253cca

SHA512
314e12eacaa0dea64bce9b2c5217889aad2e3cc67717cc1c0709fd53f2de859a1d3fb28a36ebd768f71649d1a07a0bcac5274e4f85ef92b729e4e688b9216741

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
34KB

MD5
32d7db8fa5946bce9a7b373893beb7e5

SHA1
c6141f237e5bd9e9be5da6c052fa65d1ec1bce4b

SHA256
a7393724a7cecf0efaa497b2cfb65dfe131a5caed9548b4d4ae0e0a694a07042

SHA512
6d4af9f38152d4238a7814ef440a6c7d7930fdf5c8d4783a475d935ddb05c8352f5ae86bfb4085d0f5b596c3f4b8ea77e1924445c42e02f09922b4e41ca44d30

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
8d1d42544a6454161ada41f5a5536723

SHA1
a1aa50e3dd9a7b028102e1fdb6d58f0a63a44184

SHA256
db82c68d6e2b69adc9d288b42e82742ff936405199297e1b478e66ddfaab78fa

SHA512
f427837756e5f5b569e730d98f024d40e52b666643a8e8c17d535fcb2f4732398304f9c95703e79a0376b2b628aab2902d3d19880c056fc56324bb043b3ec537

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
37KB

MD5
00b4bd2edf0b64dac13fc2c5d21e8b5b

SHA1
e80f3ec5b2ac02f7f6a03d9cf91c066fd8d6f019

SHA256
37cca0ccb3d8c862d19bc7b93d5a124a8e7fc8736dd7ae40f5357ae3be65eae9

SHA512
b5c32d37a6f55502f1d4804ac80614af6665773fa42cc2dcb9b39959a6015150901e3a3029b7f991417a4d804810d433b7c850abf9c0435a372430accc51a979

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
39KB

MD5
28cfddce1d1f1d4fd3710c59bc21e0a8

SHA1
9200d3b8297edde49134e972355b21d6c1be4dfd

SHA256
89f89cc660f6d597acde2e46cb8c4e8554fe23e894fddaedbf2f9510a278cc48

SHA512
30b83df92ac9c0d8769abb3455d8a6039f425b8c3fa77fd51e142da08ee99671a150bfac5219c3df2293fce8f591c68550f889a842a0efaa36d4743e4cea0b77

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
40KB

MD5
a4da9ec17b37cbf4a930ae33f8bd0a76

SHA1
cc68e92efd34f2e4188db27d37141a263b0cc76b

SHA256
2d4d6d60341558a8246f25d4fc077ae0ae377aff68c3395d0f91eea23e0a7e98

SHA512
55cc3586b7cc822a3f0bfd382e13aa6e3aa563a1aa5fa9dd5343f9cf4ecc89faf9c3fad056f762012eda385e466f7e3a77213b2b940fcdee4ef79ad25cbed614

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
201854532abf17135d763a9bf26b458d

SHA1
652b3cf0cae7005d6d90c5b1eb504c64f6912ce6

SHA256
1def05202082e04691fac44dd2492fc0f1987f71b401c68a6ecb728b0b9f6e88

SHA512
35e8885812375f5bbef624e8f2fba0a602bb796f2a10f332210ce9742f4207c67c64d22e79fae8c8d5374565bd76027cd1a5efbcf7bd6a4a2b789132dd776376

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
43KB

MD5
66630168aa529567e4a7b3d3aa91f411

SHA1
86496ce31d2280685ae1456c8ee222de91a12b1f

SHA256
db91003b0d8d69e161998632a312f69fa71e709ef610129662e658c120d9f78c

SHA512
a6e79cec068899728b84910f1b17e861bc002a486e5d1bf0da3175b44c0aa7eafb7f7e2ffc48c66810e0cd3a0423f1c4cd5d068fed44b1f9f13bf3dba3efee67

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
46KB

MD5
4011ab47970870b314566d88e38647f4

SHA1
65f6707e43896cb256616c61c4ed0e44f2a170c8

SHA256
888d880d97dd6df7ede1798680c676194bcb9980ed5bfbdabf71dbe471f9729c

SHA512
cd2c00bbdc044e6d079c498fb6b638a8a177e01f0a4e6a4a8db8b1507b319baf6f1dd05142bf705620c7a8d088948ca301446671463be24f64b5ef2b9b90d6b8

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
48KB

MD5
5ba4bbd29152fbc2d36ab6c28b54fada

SHA1
a3d09bb16005f8e95ee4ebe3a0fa01fa16d7092e

SHA256
828d11a83b014b4106b90b557838279e034dbf3107565024cf6320f99bf6c065

SHA512
998de412ec5a29416b2ffd410926b97ac3fd14ffb1f91930040a60d6b2126bfe0a925585c7df131c15a14a1cecad7f3a67c43c1a984bb60adb4073ca9cdc4d23

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
50KB

MD5
07e5b20c6a08a95243276248bec69e68

SHA1
bc8fd0da56cac9151316d748a5b586d41c50e387

SHA256
7a295acbe01a2c066953e235fa4420957c830adbe764856ec54727eb222a0795

SHA512
8836b9aa69d6c6148b0e49b0f08178ae19a30aba2b71888e6d8293a4e0aa3a09abdaa2e5d2f33d16f584c80e5843fe7a895e966543aeb0e0c2d85303112be135

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
51KB

MD5
3c6617cfb7285a652bb1df2cb4820b65

SHA1
7ae47a8df98bfe3cfa08a739dc796a85aca4c1d3

SHA256
f1b44e397c15c93ce12edee31d8fbcaf895bc8ac5f7d6db88b9519ef73b97a37

SHA512
a4b98f9ae97ace7fb029619c1a458c89ff2f11b6b2bb44a75ca202085d8401be64b89f60cec2f1adf2c418cd3b82dbaef5197d0613cdf17d8f56c58a594563a3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
53KB

MD5
44a083d3e1927692bb4610438a614571

SHA1
15ac082cd07cbe0006336ab1e5035ce2e71c61eb

SHA256
17bad412e8c1361a40325d86413e635ce3643826fdfc59d616b50afcc7c8b3c2

SHA512
49afc5201536e3ef677f4addc87fd94ab5d7ce8730223fe939b524600134c340ba38ebe6a1c3aee29a9d3c4ef3b19817ccecfacdbdef8bbe7898692a09609e27

Download Submit
memory/4376-46-0x0000014339570000-0x0000014339580000-memory.dmp

Filesize
64KB

Download
memory/4376-45-0x0000014339570000-0x0000014339580000-memory.dmp

Filesize
64KB

Download
memory/4376-44-0x00007FFF8C860000-0x00007FFF8D321000-memory.dmp

Filesize
10.8MB

Download
memory/4376-12-0x0000014339570000-0x0000014339580000-memory.dmp

Filesize
64KB

Download
memory/4376-11-0x0000014339570000-0x0000014339580000-memory.dmp

Filesize
64KB

Download
memory/4376-10-0x00007FFF8C860000-0x00007FFF8D321000-memory.dmp

Filesize
10.8MB

Download
memory/4376-9-0x000001433A0F0000-0x000001433A112000-memory.dmp

Filesize
136KB

Download