toxiceye | d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1

Resubmissions

18-05-2024 01:48

240518-b8ehbsee95 10

18-05-2024 01:47

240518-b7snkaee49 10

18-05-2024 01:40

240518-b3mlraec26 10

Analysis

max time kernel
52s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XcHvYYrNa.exe
Size

111KB
MD5

98e558eaea97f0b282b42fa6d49070b6
SHA1

2e48bb1b50177fe17392ac9407ba9f7e45685a3a
SHA256

d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1
SHA512

01dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882
SSDEEP

1536:v+bDH/4gqLM91qQIwBI5xxxxdyyKDWfebhDqI68QWfzCrAZuYPwDr:Wb7/4jLSIFxxj8bxqH8QWfzCrAZuYUr

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot6444357834:AAGtL3te5_xl4dvacn8BJElHrky5SlLcE_4/sendMessage?chat_id=5563559839

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	XcHvYYrNa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	IShadowRTX.exe

Executes dropped EXE 1 IoCs

pid	Process
4160	IShadowRTX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
49	raw.githubusercontent.com
94	raw.githubusercontent.com

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	IShadowRTX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	IShadowRTX.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4236	schtasks.exe
4944	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4760	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
384	tasklist.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4160	IShadowRTX.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
3236	mspaint.exe
3236	mspaint.exe
3648	mspaint.exe
3648	mspaint.exe
4092	mspaint.exe
4092	mspaint.exe
1476	mspaint.exe
1476	mspaint.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
556	mspaint.exe
556	mspaint.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
5848	mspaint.exe
5848	mspaint.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
6524	mspaint.exe
6524	mspaint.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
6628	mspaint.exe
6628	mspaint.exe
4160	IShadowRTX.exe
6824	mspaint.exe
6824	mspaint.exe
4160	IShadowRTX.exe
7100	mspaint.exe
7100	mspaint.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4504	mspaint.exe
4504	mspaint.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
6788	mspaint.exe
6788	mspaint.exe
4160	IShadowRTX.exe
7268	mspaint.exe
7268	mspaint.exe
7372	mspaint.exe
7372	mspaint.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
4160	IShadowRTX.exe
8112	mspaint.exe
8112	mspaint.exe
4160	IShadowRTX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4160	IShadowRTX.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	XcHvYYrNa.exe
Token: SeDebugPrivilege	384	tasklist.exe
Token: SeDebugPrivilege	4160	IShadowRTX.exe
Token: SeDebugPrivilege	4160	IShadowRTX.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4160	IShadowRTX.exe
3236	mspaint.exe
3236	mspaint.exe
3236	mspaint.exe
3236	mspaint.exe
3648	mspaint.exe
4092	mspaint.exe
3648	mspaint.exe
3648	mspaint.exe
3648	mspaint.exe
4092	mspaint.exe
4092	mspaint.exe
4092	mspaint.exe
1476	mspaint.exe
556	mspaint.exe
1476	mspaint.exe
1476	mspaint.exe
1476	mspaint.exe
556	mspaint.exe
556	mspaint.exe
556	mspaint.exe
5848	mspaint.exe
2956	OpenWith.exe
4260	OpenWith.exe
5848	mspaint.exe
5848	mspaint.exe
5848	mspaint.exe
5140	OpenWith.exe
4056	OpenWith.exe
5528	OpenWith.exe
5388	OpenWith.exe
6524	mspaint.exe
5616	OpenWith.exe
6628	mspaint.exe
5820	OpenWith.exe
6524	mspaint.exe
6524	mspaint.exe
6524	mspaint.exe
5932	OpenWith.exe
6824	mspaint.exe
6628	mspaint.exe
6628	mspaint.exe
6628	mspaint.exe
7100	mspaint.exe
6824	mspaint.exe
6824	mspaint.exe
6824	mspaint.exe
7100	mspaint.exe
7100	mspaint.exe
7100	mspaint.exe
4504	mspaint.exe
6400	OpenWith.exe
5692	OpenWith.exe
4504	mspaint.exe
4504	mspaint.exe
4504	mspaint.exe
6844	OpenWith.exe
7012	OpenWith.exe
6788	mspaint.exe
6788	mspaint.exe
6788	mspaint.exe
6788	mspaint.exe
7268	mspaint.exe
7372	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4236	220	XcHvYYrNa.exe	88
PID 220 wrote to memory of 4236	220	XcHvYYrNa.exe	88
PID 220 wrote to memory of 2020	220	XcHvYYrNa.exe	90
PID 220 wrote to memory of 2020	220	XcHvYYrNa.exe	90
PID 2020 wrote to memory of 384	2020	cmd.exe	92
PID 2020 wrote to memory of 384	2020	cmd.exe	92
PID 2020 wrote to memory of 4188	2020	cmd.exe	93
PID 2020 wrote to memory of 4188	2020	cmd.exe	93
PID 2020 wrote to memory of 4760	2020	cmd.exe	94
PID 2020 wrote to memory of 4760	2020	cmd.exe	94
PID 2020 wrote to memory of 4160	2020	cmd.exe	97
PID 2020 wrote to memory of 4160	2020	cmd.exe	97
PID 4160 wrote to memory of 4944	4160	IShadowRTX.exe	100
PID 4160 wrote to memory of 4944	4160	IShadowRTX.exe	100
PID 4160 wrote to memory of 3240	4160	IShadowRTX.exe	105
PID 4160 wrote to memory of 3240	4160	IShadowRTX.exe	105
PID 4160 wrote to memory of 3524	4160	IShadowRTX.exe	106
PID 4160 wrote to memory of 3524	4160	IShadowRTX.exe	106
PID 4160 wrote to memory of 3296	4160	IShadowRTX.exe	107
PID 4160 wrote to memory of 3296	4160	IShadowRTX.exe	107
PID 4160 wrote to memory of 3236	4160	IShadowRTX.exe	109
PID 4160 wrote to memory of 3236	4160	IShadowRTX.exe	109
PID 4160 wrote to memory of 1488	4160	IShadowRTX.exe	110
PID 4160 wrote to memory of 1488	4160	IShadowRTX.exe	110
PID 4160 wrote to memory of 1928	4160	IShadowRTX.exe	111
PID 4160 wrote to memory of 1928	4160	IShadowRTX.exe	111
PID 4160 wrote to memory of 5080	4160	IShadowRTX.exe	113
PID 4160 wrote to memory of 5080	4160	IShadowRTX.exe	113
PID 4160 wrote to memory of 320	4160	IShadowRTX.exe	114
PID 4160 wrote to memory of 320	4160	IShadowRTX.exe	114
PID 4160 wrote to memory of 4060	4160	IShadowRTX.exe	117
PID 4160 wrote to memory of 4060	4160	IShadowRTX.exe	117
PID 4160 wrote to memory of 1964	4160	IShadowRTX.exe	118
PID 4160 wrote to memory of 1964	4160	IShadowRTX.exe	118
PID 4160 wrote to memory of 3048	4160	IShadowRTX.exe	120
PID 4160 wrote to memory of 3048	4160	IShadowRTX.exe	120
PID 4160 wrote to memory of 3208	4160	IShadowRTX.exe	121
PID 4160 wrote to memory of 3208	4160	IShadowRTX.exe	121
PID 4160 wrote to memory of 3648	4160	IShadowRTX.exe	123
PID 4160 wrote to memory of 3648	4160	IShadowRTX.exe	123
PID 4160 wrote to memory of 640	4160	IShadowRTX.exe	125
PID 4160 wrote to memory of 640	4160	IShadowRTX.exe	125
PID 4160 wrote to memory of 776	4160	IShadowRTX.exe	126
PID 4160 wrote to memory of 776	4160	IShadowRTX.exe	126
PID 4160 wrote to memory of 4092	4160	IShadowRTX.exe	128
PID 4160 wrote to memory of 4092	4160	IShadowRTX.exe	128
PID 4160 wrote to memory of 632	4160	IShadowRTX.exe	129
PID 4160 wrote to memory of 632	4160	IShadowRTX.exe	129
PID 4160 wrote to memory of 1972	4160	IShadowRTX.exe	181
PID 4160 wrote to memory of 1972	4160	IShadowRTX.exe	181
PID 4160 wrote to memory of 3312	4160	IShadowRTX.exe	133
PID 4160 wrote to memory of 3312	4160	IShadowRTX.exe	133
PID 4160 wrote to memory of 3092	4160	IShadowRTX.exe	135
PID 4160 wrote to memory of 3092	4160	IShadowRTX.exe	135
PID 4160 wrote to memory of 3272	4160	IShadowRTX.exe	426
PID 4160 wrote to memory of 3272	4160	IShadowRTX.exe	426
PID 4160 wrote to memory of 3372	4160	IShadowRTX.exe	138
PID 4160 wrote to memory of 3372	4160	IShadowRTX.exe	138
PID 4160 wrote to memory of 1476	4160	IShadowRTX.exe	139
PID 4160 wrote to memory of 1476	4160	IShadowRTX.exe	139
PID 4160 wrote to memory of 556	4160	IShadowRTX.exe	140
PID 4160 wrote to memory of 556	4160	IShadowRTX.exe	140
PID 4160 wrote to memory of 764	4160	IShadowRTX.exe	276
PID 4160 wrote to memory of 764	4160	IShadowRTX.exe	276

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe
"C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 220"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4188
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4760
- - C:\Users\NVIDIA\IShadowRTX.exe
    "IShadowRTX.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"
      4⤵
      Creates scheduled task(s)
      PID:4944
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:3240
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3524
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3296
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3236
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:1488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1928
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:320
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:4060
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:1964
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3048
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:3208
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:640
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:776
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:632
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:1972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3312
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:3092
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:3272
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3372
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1476
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:556
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:764
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5148
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5200
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5316
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5452
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5512
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5568
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5740
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6132
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5132
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1796
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:4464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2832
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1052
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:6020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5248
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6212
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:6300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6340
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6412
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:6464
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:6524
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:6580
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:6628
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:6740
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:6824
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6868
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6956
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7004
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:7048
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:7100
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7160
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:116
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5260
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5352
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5432
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5396
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5160
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4504
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:1836
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:3928
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:6440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3596
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7040
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5832
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:2844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2564
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:6788
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5392
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:6592
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7172
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:7232
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:7268
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7332
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:7372
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7416
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:7460
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7512
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:7604
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7716
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7816
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7892
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:7964
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:8044
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:8112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8152
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6800
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:6936
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:6796
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7052
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5600
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7120
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:2304
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5224
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:764
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5352
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7084
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7560
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7108
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:7556
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2056
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7640
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8000
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7860
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:6200
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8072
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:6428
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5300
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:5356
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5432
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7236
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:7584
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7616
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7692
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6020
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7496
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7204
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6428
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7936
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7552
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:2488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3604
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8216
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8272
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8324
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8344
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8492
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8560
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8632
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8748
  - - C:\Users\Admin\AppData\Local\Temp\CommandCam.exe
      "C:\Users\Admin\AppData\Local\Temp\CommandCam.exe" /filename "webcam.png" /delay 4500 /devnum 1
      4⤵
      PID:8768
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8812
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8860
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9092
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9144
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9200
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1368
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7440
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7460
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6240
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8080
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8660
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8700
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8704
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7220
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1692
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7572
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8676
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8268
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7856
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8040
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6380
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8908
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8776
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9156
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6400
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7616
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8204
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6820
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7556
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4148
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5116
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4536
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1976
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1332
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:4808
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2088
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2824
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1760
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5812
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:4468
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:2724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5664
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6164
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6272
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6368
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:2220
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1496
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6248
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7032
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3272
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5376
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1488
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6820
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1472
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4376
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6760
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4116
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6464
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6696
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5156
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2920
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9100
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8128
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5864
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8148
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6436
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6280
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9008
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6904
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5372
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9264
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9368
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9412
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9460
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9500
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9540
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9656
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9796
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9840
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9940
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10024
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10140
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9228
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9304
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7696
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5708
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7904
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9868
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9844
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8672
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9636
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3772
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10216
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10304
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10456
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10500
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10576
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10752
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10896
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10948
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10972
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11100
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:11144
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:11200
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9568
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8336
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8396
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10180
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10472
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10724
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10540
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9884
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11332
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11424
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11552
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:11632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11656
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:11740
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11856
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11992
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:12032
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12124
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12284
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1436
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7224
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9736
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:11256
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:3580
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:11456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8896
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11560
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11784
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9116
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12144
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1876
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5148
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10728
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6256
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7228
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11860
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2472
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10328
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11276
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3016
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1324
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:11780
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3584
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3472
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3808
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1652
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3836
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4048
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6300
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4200
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1832
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6652
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8416
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8968
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:224
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6668
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8888
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9024
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11596
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11540
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11984
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:11428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5736
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11728
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12032
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:3516
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9280
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10984
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9476
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7652
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9164
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8176
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11908
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12260
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9956
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5180
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4436
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7476
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1568
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12380
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12528
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12704
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:12760
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12800
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12868
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:13048
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:13172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:13204
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:13276
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:13296
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7280
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5404
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12344
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12588
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2708
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12716
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12944
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12980
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6224
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7292
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10332
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10612
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11092
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6124
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11028
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12440
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10156
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4380
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:13304
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12460
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6752
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:12928
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12788
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:3872
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7432
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12004
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:4488
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1516
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9056
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8104
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12760
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10772
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2344
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9396
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9756
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10348
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:13236
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12352
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8956
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6260
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5288
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:12132
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8004
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4984
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:11480
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7072
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8592
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9524
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:13112
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8236
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8464
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5632
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7460
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2864
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:11700
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10292
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:11608
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:368
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11472
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8304
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2088
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10760
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10572
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4552
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11760
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7488
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:3912
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12432
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12816
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10772
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12992
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4496
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:13184
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:4952
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10484
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8656
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11532
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:13200
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:12896
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8548
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11800
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5264
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3972
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6620
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10812
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10260
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:13220
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3612
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8736
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11968
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11580
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10260
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11024
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:3452
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8100
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:12748
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3300
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12364
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10620
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10872
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5828
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:11664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:6280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd37d046f8,0x7ffd37d04708,0x7ffd37d04718
  2⤵
  PID:9008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:9032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:9784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:9152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:9744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:10588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:10596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:10784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:10740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:7128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:11324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,14871738270592846143,15893123644922333457,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:11484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4868

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9abdc55149754c42802a200463e575ba /t 10060 /p 3512
1⤵
PID:11776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:12880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0cd29bf3-675f-4a07-86cc-2b36d5c3bc16.tmp

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4f6294f7a7b9613237140013943d953

SHA1
7cae45c891231e32b7821390dd100af95c708d8e

SHA256
c534a7d64f66e92d1113c98e88355b78fb2995b16d75c77f19f6dd5fbe32e2e2

SHA512
6fcb0d111adbb16e98f66f72356de5120a005801603b81cc7a3b1ec32c73c5a9e008246e894bf40357d8cea9f837fd1ef7a141f1ff08e93820778637f21928d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f57a4e4c2db40961f7000fb5481f1311

SHA1
2ca01743bff3e30edab87b8f2856b89ccb46cde7

SHA256
0dfc64bdb3bd51fbc2bd5bc6e387022a308093077f838c4b712a63a7bc905d7a

SHA512
a034598a2e5b3d30b5c1e2e6a312f25927c75fa0a6b6e3a098440e7d790bfa6eb09dca769a93f4e059aeb874907e64dc4037ed0d1f41c1eced5ae6c6169da69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce5094b03e8584a5c5470ce18854cf6f

SHA1
6e4aaa0eab1124f0bed25c4eb2632b82f859aa05

SHA256
de0d2a526daa0bc0a5efc872a7e6bbcf3f4b1027028b5f1c579451de37ccc182

SHA512
cc42df0ca0030af23a62726a44a0f799636f06f8e574de5829a0b8a6c21b6745ec4f5f00bb7d99c8276e69c16f19a7ea6099b64bc643d7238243a70c6ef879f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da96b825caf19e8b7f64fcd2e5f4f2d3

SHA1
790304360f5b65acb7b5bf653622895f720774e7

SHA256
24856401a24b3769880ae67998b89a6045dbad4710afea7d7abac40ba12a83c2

SHA512
6a05da8ebacb4fb47ceab968db5e847fbd2b215a21f8cd290e52b1069d0652ad2ba17be5bd78f8380e3e61eb17cd0003de5a3886d5f443eba04aced4efd52572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
599e01fcb6a2a89e1f39bd9cd673e671

SHA1
bf3613641305afd2acb40b219c43ac0261cee1a6

SHA256
faed8c1832654eb1f9ca028be18d4983e43f6c9ed14695c7646c322311917b6d

SHA512
c90740ec06823271642d83523e36c92ada261e7418101022030b83a874cd75e54c9d9fc626c72ee4391b5ea676e98a7d56bf94d9875bfe9c81c09c231bf5280c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f1c4569cf71504340f6bc67e2583b9a

SHA1
12058177e17898b0e37949674bcea75ad6409e00

SHA256
ac143e2cb7d2a9b8b42d5485abc514f20a9719acc1f916fe9f7d9e4957ea3395

SHA512
09b308cf833ccff786d99e8909a3bc7872bdb390bebfafeececbef6e2171f8c5323f3aa511206a1b7bcc6e119a8f9c7fe77a1a7d2c668b71f8222b5e3fb3a9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
839ea1e6193e2aa9e68306fc78ccc854

SHA1
f4f851f1e34459476b36c8cc11c9f909ba8a2b33

SHA256
ae4d4e7a904fb0f62fce3ca0ddf89de983a4cb69215cb67ee79270da8acf5125

SHA512
a30dde6c72657f59986834fe355171a81e7e53a40545f4bf05bd5b5de06103f52e2d05bafa3d9afdc6fd77dc06f6a18522263156aab5dea9b14f3f6b1b967e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cc746953769579eb9ef05064e9f64f5d

SHA1
dda965caa49639c7a7ed4479921522640208806a

SHA256
5ad446812d84bd48fcccb14a91cbf9abf75a3437ea700d565a778bb2680d0f08

SHA512
683adca5e5983d77721f313ed217726016209ad399311643a2cef513d36cc6fe4d31271350a18e47f93750a8306559f7a0b0469b9a4762dff853bbd247b92e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f58b529eed452af59291611d1748ad72

SHA1
8df4e8bf33eb00f02b34f7716da82d830f5970d9

SHA256
6ce8607c17b116e201091c8dbfd5318ffa55a22735a2715a044d1a02e8c4aa81

SHA512
05232d5d25e81f1036838a0a523642928b630d2b0dc4f5021e00a7a67b9b5f135bbc214796c66fbc2d9a780c4fd6b2382321aa58780e7d157213331eadf99e3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\6KUWUA35\microsoft.windows[1].xml

Filesize
97B

MD5
689df38489ed790b0068b7f3cae1d440

SHA1
6df6ffaae31903b96024a7b81f25f1ed61c3f152

SHA256
fc336b0ef0f4f06ea66d92f25dd66dd1b0d697da62b5073ed5199fffac8a08aa

SHA512
1f26ccb99ee3babc3617eb635a75f02d34be865c200a866eb28024ad0d8ccbe4110b0dd1a3d2ab14fd84b2eb345fed8bb65a19437ff99c1b2d84e2b3ce9acbb2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133604702216348284.txt

Filesize
75KB

MD5
79ea60e4feeffe4483ba2d0ea61852fb

SHA1
7d5921a1b6240cc717ad4f4478bbcfc42f3af8e8

SHA256
1e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923

SHA512
4d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CommandCam.exe

Filesize
63KB

MD5
1009e5b3884fffc9926a2e97ccdf8408

SHA1
15ef775adbddd1f9515860f322fcfdb1f81fbb49

SHA256
e4e7f08d9a9a662b5615e8fcbb6cd3c711ecab6341a60562bbeff9ccca43f7e0

SHA512
3a8b777ccca6f29c8bc350711f594e1951afdbce8eb78786d2b3d85f940051635c05ec414768eef956076e41f1e53195f4d6fc20941428f525fc7cbbecc67891

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat

Filesize
190B

MD5
2c75e0b997af7ef77d96ea54b7fd4f5a

SHA1
48853e2bd280d8fae2d97ed05e2c8f0fb565e88b

SHA256
de16a87f396cc102d3cbae8483c2ca02593e2df1c3cb2080df9afc4a894bd306

SHA512
68b06574e72e652d8f833a8537d058283c506f48bf435eb382dabeff8c7c1f63b0eb71889f5f5c4f0ab840717e71c33f9482117340fda13ddcda2709557de300

Download Submit
C:\Users\NVIDIA\IShadowRTX.exe

Filesize
111KB

MD5
98e558eaea97f0b282b42fa6d49070b6

SHA1
2e48bb1b50177fe17392ac9407ba9f7e45685a3a

SHA256
d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1

SHA512
01dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
79KB

MD5
abdea2cde30c0021f6b393270eec2b83

SHA1
48da6e95b4fc52319fa9be0c0181ac41330d8d5e

SHA256
87b95907f5e135ec187150092edae6d8e03bf220eb9ba7b5b9302ee60dc84670

SHA512
432eec791c7712bb5e36630c7c4038008e71e33cf094cf1428c28ab3ad1a544a3e4dea129593d8c3b63c5fe959461f6087b4f51077acc84fc2cde87b805d0f66

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
80KB

MD5
545050df10ee915d68f19912c357db07

SHA1
133e21242f0b6d34a217221ce1927320ededb006

SHA256
420c6201c81c0dd945b9bfc135c168244a648ece09fe8aa051bbbf2ce77852b6

SHA512
c582871cfed392d13ce3d1911e5152479f127eeac62d0e674ed6f6a7ee10dbe5e16bc96f7bc646562e01be96506aa8a50d2fa402d17b1d36b3e8d878da284be2

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
82KB

MD5
bae15f14f041c677803ea58620ace44d

SHA1
6b790fe9b502b9b05c7512e9c768976e93d23efd

SHA256
c874cf51561e927f8bd523a83feedbce68777b267f04f8514d7a3115b745d068

SHA512
2c6fbb47d8d300da51825bf25928ca9035b12a1b97114e59dd47a6c1ce4a040c1ddba9c2d06ab8ffeb1e1eb8819c9ba2f8781248179cea5684e1099ea7e0b660

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
fc57bac8bc5466953dc1f49a11b09ba1

SHA1
7de07bbaad2f411f3abbda12e20b514aa74b7ab3

SHA256
3a1dc5d835c1ddaf52a456565d4cc098ef88b4ddf6d3382f80752a5d19d18bfe

SHA512
43dbee62f7236cfc11daa582a7283a3377a6f18af0a0395380c6f4f51f995e1202b7a346dfa1ca626270e88bdd9e0fe0cfa156e55075ea8fa2e3ca675b4a0863

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
84KB

MD5
5f9088d6a95f0dde10838a5012c4a19b

SHA1
5134272c28eae9b63c7a03f1422f794817f1fee4

SHA256
389c42a7b1fd0ec88a40e96785c5096949706842c414011dc1af18ea1862b830

SHA512
48f277d6f5d2f36da7dbd91f66af945a701e78ceef1345df891c72c20696d28233aee8cf86d2b74070c2257689fee73aab30066e6ec632137e281d630478dcf7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
758bce7724b7bb266206e17f8a7e1fae

SHA1
30b946c58f2f302887cb3fb5d0d56820189edee9

SHA256
6008167ecd1e462b9b599a99a749689de4fdff6d73f9ab0099384d3d657d407b

SHA512
073cf29bec5092097b76d2ce1c10fa0ffe5a3a52577631208d6e263ca92ee9924cdfc7d4364388f0a33219fef2f9f39cbd0cba137f54cb2ca173b3cba307b106

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
85KB

MD5
07ad7fa29b6f9008a75b850d189f9620

SHA1
2026b73cdb1de4dd4b2d9e1157aaf1085dc03b5e

SHA256
dcc1cb16556b487ca035e51d2cd6b629cb6c1bdf0980ee27bb6a10410e7a0606

SHA512
cfb44285a2742764661f01cd6702749de1794db433a2ec0a96ec3be52b309691967bf803bc98be05ea9fd863671771fd420805e692bf0cd12fc0ad9855bcab61

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
87KB

MD5
39db166569775f02f02bf5db96c334b2

SHA1
aedef07ca395ef370ae50081a9ed20b8460d9180

SHA256
6c75eba7810716e23b4836aaeb652a54a861bfcd57c04174c73933f93df6e79a

SHA512
3c007aea466c9473ee3e7a391d7f40c209db27640624f30308b27ff7c0a6f896b33901a14d628220c35a65a853e7f077c69a4d0271b795ceb279ec4c5fc11646

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
88KB

MD5
6c50d3ccd42ec3e8bbf0e6b0f919dac4

SHA1
2d2979673284e1c837baad0baf75e507c8774dcd

SHA256
8fc157ad3ba5646964e9b8201a6d1e9b8358aa89102baa208b08e7efd87e4dfc

SHA512
a90b430a2d3113c81bc9547df989f099d7e785e034d0c29f116005501cc8f7e47aeec2264740fef7da8c7a55e25551e127011ffec4ed116f4ecd8aa7455354b0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
90KB

MD5
78e4d388d5c0b6c327927498e3f0b5cb

SHA1
2d73de9a09060baf6c8148ed4c018c9938207a39

SHA256
ac7421073c1b81574c3930b4252a6dabc106305b1c5a05006fb5f840c543977b

SHA512
3f9be273180b1ddc05bc12f8ee15cfc8ce0eca0bdeedde1f69e07d464b6a85c3f6776ee41901884118064da3aa91f525a3ed19029893775067fda691ff736027

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
29c9b6b00fb1ab9c4e3104b2d356fa20

SHA1
78e8ffaff2abeda5325de6431e7f4586a4ba17cf

SHA256
1c71d8decb9105c83b15e3daf6c2b40e070ca3b110a93e24de67e811a309c99f

SHA512
9aa169324c747c67703b211951283b7b697c3b889338cedd86743080e46e19701cdae0968288d6d6da6db9c32ab601a25be4260dd54d272cc922ad1e77c992c0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
46a52c910e30d29ce9c6256227b543f8

SHA1
4bb085fe65f9e416c8b254afa034e6dce738e672

SHA256
dd6bddd5a2ab452f53222d95cb67f36c03472a5bf384bedb72d11225eb516033

SHA512
191dd1e6a919b3d1570c7e3419eea28b0ab1720e9ce2595d92a0d8c809ea81dfee9088957c2ae0281e55fc2446267262df7efcde848ca98343a3efc5fc42d806

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
29b5b0a305c2aa7f2c60cd95f19ddafb

SHA1
26f982cae941c8a87c131c96efbe181f4b14a441

SHA256
3fe0d332da92020bd33ae597974013c24dc7956726b3411b70c1bae3df7fe0d4

SHA512
186943fa4898077160bfdccbe4abc3173bc0cd1283d16ba54946ff3297c3dd0ab8c9d6225d4a1ab4869bd83dc3ff7503a0d80508f81c91a76b2101a4acd8f0d0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
0fff1d8c9889d54270b0ea985a1b3343

SHA1
63022af3e3540a6d707d943051aaf874fb68a7cf

SHA256
9edb3e94ed374b2b460ae620aed45441d3bebf19543e38f8cb61fd02cc0b9b1b

SHA512
a3b974601f80d38febc5c467d3eb08b8e5392e2d9ad308a005c45598e9dd83f9475622ff7afc06a15ce24ad2368df8f9d45f0cfc05ba5b19d44bc1dfa54ccdfc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
3373113f4442e1b63e6b15eea93dac4c

SHA1
9c50984055791d8f370a4eace9b332562a7a9571

SHA256
87a7ae4f6c0b8c1d07c956f781e34cf626a23728e3ceba6189b9adafebee88fd

SHA512
dec174120e2ad1d7edff62783e5cfc64a922782b92d71ea0293671fd7211a1690e9ff3b7175d771882154be7ca37fabdd701ad9bef2fa6b6bc0969c460426f24

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
1193e1f173c0f8df43451a24690c96a8

SHA1
9b3548b8cfae1a2162224f6c9b22f1d1f0b742bd

SHA256
c580369018f70b8fda58dd0a2b9fe2432f6c1e10c5577d6055153b6a06b2b38d

SHA512
5c3c1bfe6621ed7f64b2bd926eacb393450e8367e7290193d57573fc9566f78f1e5caba638dc42a1e8be0e52f7d0e4efa4fcb4aeaf1de3d79a95d94455a5c00f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
16KB

MD5
94f0c842ec7be335e4efc6bfa2e00db3

SHA1
37f574f6c0fc459e8856d4e9212a72e125f6c9f7

SHA256
94213c6f755360b659e09e78f4799577b0550c58cdda529073744e66407886df

SHA512
74f8650c7cdb4f4bc69d38c3623de2cc58325a242e5ee6af86a0dec184b24327da14b5626539b4156deef349772afc8e63d7f61179b9d107a2abb4165ff6010e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
63e4ad1529f57e7517e41ab2255ea939

SHA1
6d78bdabccd902256ed8135926594c98fa66cd79

SHA256
cd23991daa5d6a468187de2051d536336eea76d0873bd6339e14fdb402797acc

SHA512
244f0c0e142739996c2ff3c577fc21757488694981238a4245e6b2ad52a489582692f5ed516adcadd97636160c18d5f724f9e5f1c508e2aff79ef0a8bff99937

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
c056fb1be2d9bd290f9ac83487b9ab7e

SHA1
1c89af85c4188189636fb07a62bfa21173944f90

SHA256
c29b77c44ce10cc84a78445d993cd83552a1ee480b05f9c1f36c6ebb41f9e23b

SHA512
f2f1e96b4b7f748675ff01aa9ef0321bd12d35e7ffd55689847305a97f58e7bf3a7eeaa167bd02bf1d3ec4574d8a80e31a711ba94d136ee1c284f29aa20c8929

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
4fb9cb4a8e921cfe9424f99183b90308

SHA1
778f77e6f3992cda5e1910d41f9e29fde9c03fd9

SHA256
b91522d94215ee6970c845b13145588c89d1b069d641963930818ef2db918ff8

SHA512
f543f2c78b1cbf38083f8e062d2659ea0bbe10281d68583557c8ab1a8f97e4e2c939f7b99e65e7b241467e5d9bca3ccf67470ad9d82f4f9a54540f3800e4fbbd

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
f0d44bba3d78d21f4a6cbecf8f0e27d3

SHA1
a985a566f7061a36ef6709d2a5267b6d01ae5a33

SHA256
e4e9ebec0a9ab501d734e1e5aae29eede80c590de54117491ccb7a1a2805941f

SHA512
e3840bab19c54eab80b07b2df278fe0d3b2343cf6a68ddc67a65851e03349bf44838dd4901a4f3f01dc4f43e3d2ecf78df5fbc5ce07bd221a17e961cae698395

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
a6fd4fb38f314e9414e064120c6332b2

SHA1
ca9404a429436df8f99f87733a63d9bad8235ffc

SHA256
ded01a3ee99eef9a76179e9a7b58c8de740df05a265cf5714238a1845c6e70b5

SHA512
375c43808bc80a6ded795ea2200f21c22a2bce5167fb99d6764571765db683254a747ab5e3d370f0bae92da29af4d8c6c1b224f538a2479525d9d9fcf67ab829

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
28KB

MD5
66b0e3c571dc90dd41e26e02e082c377

SHA1
25b99304d8350cac11c6e8e648d1014e04a0595f

SHA256
952e712208dfe45404b427402e15a2d5d466afa346af3a77b7d870ab1c376265

SHA512
10477988f9f97c2c7a5916a26545f66450f6a813c0c4fd21d98f6e8a446abb3212af85e5d3044835bfafdda86bcd8758d75bca44b979bb4e3f0fd8fc8b2d7372

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
c975081bcae79e9c382a1fcffc35288c

SHA1
11102d80a5fb304526e5537b30d7f0ca7ae14682

SHA256
4219d963655988986cd23c1f4e5ba3480710d668803d2c60183704de5e0e8d88

SHA512
90c9e2f26a62211417667e0d960ae01ce64c85d5cb6c67acd5094a6e6afbc943045df0a564ddb62ff6d5942cf660428cf29ce29dc045d8975e36056c950730e7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
32KB

MD5
cd6e96afd0f0528558c1aa07713069cb

SHA1
11761c619ded93fa7794619a79a4e8f350f3f33c

SHA256
3cca10fa8905abab8c4c45c2ad62d36b231cdd4b61019cf6a75d3dae569c4f73

SHA512
66418198732d4950259541a48a5a94060c5ec6e7c6d599e9dd7f9326d5f2133a5c0e0136b49cd135e0f5177ed2da4a3781ca65e79681a01d41387a9f9499bada

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
8902269cc3305b2ad4d8e25e45c45f6f

SHA1
db2641fee100a90a133f512d51daa76797b2c129

SHA256
4209dc78efb2817ef27e22e7a1ae347e11629b97458960318c8bcee4a8a11783

SHA512
789e277d7b4f164a915ab75b1d6ace94bc1769c39e04909267f10ba090576a24da6f834feec6dd3a991c5dcffcdf7bfdee5550cd2fe71fd0d6fcc5b86f97ed05

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
c38bb7fc98ba9541cc8431a84f0bf01e

SHA1
c40dc9a4fbc7b8f613bfbae25663efaf84cb480f

SHA256
830740440316dbf80877ee49f87e746d022e7fa7712e883b9886b1d771085751

SHA512
7dfade2d40551104e823e1527e067961d64d480fb409c494e7c4bf497782f8969019ee4ed716c4b96f9e180652a74a5d6878acb021d990bb18eacb1ccb4cd1b7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
38KB

MD5
e107de0eda4bd05810de888c8d796606

SHA1
bcf8a933a0d5f5fc4ebe82f0bda9245f92b51954

SHA256
14f0972e6b3bb0049f1fd3c3d858ad3d0fcc6718f8dd70bff6ea36a294671e7c

SHA512
fd59e6f3ddcfbd6a0b7f0839fcbb50f1ef0b020d14f057344891adff8cb2585cd6158f05a907be7c0a1a9cac0a0eab46149356c45b2756ce2497fa8191662739

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
39KB

MD5
cef9c0da2611df22bc55bd053655b9af

SHA1
2ba120337e9eeb316c321122ecc06e8daffb5ca6

SHA256
4b3a74f6e11e5ec8927476876f6232990ac32a47b4c5073957abf2776909cbf9

SHA512
f28663a89a1df97642b12bf18ce2b6f2a04158c6632bc82ce0cf176d28666b72c381fee0ca92cca932728d09c8c9c656470364204f67c38672d7cf839e5771dc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
4a406d9e3e48b79a327836b724bd580f

SHA1
04deb9ecf733fe4530176b35e5871af7ba943f79

SHA256
334b1a38113492c0c65ecc0a01d8c97fd0ee7aedd92ec627b7b5daefb4cd28e0

SHA512
7bf0a0cfad9c7f4d619d4dd9de12dba65c2bfe3c81b3be9eadcb20850bb98b3b5d094152dfc044aaa6de712407c24a21075fcc502447a1c3989ae7e0389e5ef6

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
44KB

MD5
80d3f299e381146939579bcf92063098

SHA1
9709a3e47059f803a662a4f2c6be723e728ecdb7

SHA256
66b3b01df44ef1a662468f1d6997e5ed87dc17319a5a4da93df08844db8fd4fe

SHA512
77bfa95aaaeff6fcd9ba1341c8b01b0fc722baefdc7b6ef43d30a2fea1c83dc622a7cebe501dcaf5a0f6b258b1e66496791e97d91f20d1ec14a35de06938cd43

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
47KB

MD5
d5741fdacacc3de8fb9f1f8eae846009

SHA1
95992d471923bc4696f10aada0866e2e25f7103a

SHA256
a5d5698980deb1315538d26faf3110b4232bbe7104164c889fd33ec1cd75b993

SHA512
fc8d9ddda191a2f82d7c5b2531a2106eea89a3a2f81fb6fc9921d7df8378fce747a19f9c37a3c69a1472ab206abc9182b64dfb2a39273ebc2894967f219675a1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
50KB

MD5
f175b77fbcdc5d751677d5e55a7404d2

SHA1
06eb745c507a3d0d6d0a07a01926f19093026206

SHA256
4cb581670463e2485b0520b5bc0c89d1286c46a1df91afa2d22345815a85ea82

SHA512
e01d2d317448a741db47a7abced75385108e0ce6f3d8a087a9aff1cd9a26ab5616648996b03d626baf5b5b1b47cb9f896379d86c02617ab1471d6f1237294b9c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
51KB

MD5
c8cbd6bdc25e805048f429ca51124785

SHA1
8f612b51ed79121fa11a0fe21bb0aaf27f5a49bf

SHA256
b2752722dfa301fe9a49a8c2cf29790dc38be839903bd707621126b9c9c8a26f

SHA512
8ece383e873c0960a18922c8412b736b8f76b59a69c048960ef924a298add73efe66940b6f9979e0d661857df6568f305f237877275b8536760c234cb64c1776

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
53KB

MD5
5bde10c927a90b456068c60e07f38dbb

SHA1
4a34f7dd1a3b352f1f240a2a16c122dfd05496bd

SHA256
ab863f097dfcd62ee45effd959f7472c87f4f8f0aa2e740f59827b88d6c53540

SHA512
38cf39fb7ca4b637524d5d8a7616155fe3f98c538479446a7d3c92f94e1d1b9510565c3fef37d9d822a422b664be000a65878214c6a68ee22280ac021d3386c6

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
54KB

MD5
28bfe2f4eeef6d2e160ee2d508090276

SHA1
19c71fa6e7bd100716405ae68ef834288e2f529c

SHA256
dac543474a68778384674845109fc81e6ec4799e52828fe2f6ad0b3dc6f62071

SHA512
3069de249d7fdceeb24656216e304d4d125f960604ff2e6ffde3bfbe4a9bcef3ae6df496a6e627bffd59b1d9c8eab11b86b42846afbe653cd266394ff5d8a256

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
56KB

MD5
1de88b47e103201b19a625ef60ee21ed

SHA1
bf54145b2ff996831fa9dc66d8416ac50fa58130

SHA256
ffac0531f7434727b71304e8c162b0dbaa3eae59423cd273b3f96506cd45e270

SHA512
923a215ef0bfd27d797751a02fb0953c8f0f5307929f1ed5e0fe10b0a238238f2a06d9f9c56c75976c80f51c0ec1062fb2f6da81ea995a9d60ba72e2a0f709e7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
57KB

MD5
62324f4472a0c8e8fae7c089c7af7aae

SHA1
cbc52b1f870363799165ec46f23b68ad4a5121e8

SHA256
089a897b9a132bbbd4a621add665ef40e95ea5b3692b29d8f90968817d97190e

SHA512
e101bb7aa3007ec3e74acaec726454fdf3bd71913d0a521b9fc023e2827d6840dc9cf8502eacf7bd41e5fa920ef9e4717ff97ed0c3ae78955894d84955e1ed16

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
59KB

MD5
e3024a98dae3134f926ddc8864291eec

SHA1
9debf332356127eb19b5d829bb954656574a928b

SHA256
0ed1036d5aa7a76bfce3deb2d1520ef7e4d86e7efc9133286c892b00187c43fb

SHA512
43e3ac5c61e5e690f65f11a96dfc7e3c4f0e1a59c493c039c7b820a7c4193e5a38952dfe45ad4267977bb048c5a7533864baff4978c0b6fc9175d0c8e42c9686

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
60KB

MD5
45a958a9d85d0dd708485b0124fcbaf9

SHA1
471af0355effcccdd637db11ca6db024bd76c95a

SHA256
8085ffc6058bb3cda9bf25bdbbc257b4a2b7877e41e62abb681e56a71b78802e

SHA512
97a0099d067dc740249c311bb91ae2a1306bdb3b78db0d82efb646d7e6ec43a06d1eecdbeed2840a87327913de4fe25908f0473b66a02805b8d2b9e8b9abcd9f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
62KB

MD5
2ba387d4b9a17d16aa759d6d786581c1

SHA1
0947631ef0c6b4438e1890f35b7a869ea26bed18

SHA256
efc37f1e3f70637a5850dd777c02608ff944b4803eb4d6fb8f98420c32ff0010

SHA512
3b8b063fa0baddb24deb4120013bf9b9442c47120aaa021218897318c2cf93134311207ec30f80bc0ab852d753334694ce8713c53327335ac41650f9285c5f81

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
65KB

MD5
edebb40e9be7103dc7e9cfb959132728

SHA1
910154fe79990ace2ac4332923975d773a751bc5

SHA256
f60cbcf5ec7b071b2a93bf05ec602a73699e20436318e07c3b57f58a9edd2b86

SHA512
cbf557b3a214a7f497e0a52fda991593742757b20e5e1441e68698e0d3a4536b7b39093141e9b1b78d343450e2c967d6dd53de32795ed4c4979d1b01f3d40186

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
67KB

MD5
46a54d5bfd87699b55e658c0f19e2711

SHA1
eea1068d2d4c49baaed4389698aef0d29bdbf4ed

SHA256
b404db1d2c19f5d0933fa8cf41c65b70c10a18e2a6d5957518a463a73dadb06f

SHA512
71daf631b20fde697eac2ab24aeb10f75342660c50c66872dfa6e85a8d47c61f4f888d2ba544cf9d57319d2540c313546189c3adc10d4a06ec7062b18ae9ca48

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
653a652f31c3b985152a75411a17117a

SHA1
edc739fabc9124697062edc236a03632a929ccdd

SHA256
1a4cb0d0eeda72ea85ce76fbd855356008e18b0c55c1a0e5e17cce93226b85b8

SHA512
8095eef45852cb304527db087dc30cb8119640750d2e5a037a2f412b896f992c2edd0de091cc4d1173bc818a5187c139c05474e71e198d4ffdfc7431d080da01

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
70KB

MD5
5b46d44c4eec190c2b573b447c9e9fcc

SHA1
c4c896c0644736db2d41d0b3d159289a5c2166e8

SHA256
059a7c67636e3e531624bcabc6d1b6143ab3be6b4aa64ef01b7f7a68a876aa55

SHA512
3d90f019209e847cab20bb4112124e8a5084c5efab2e9ec62d749ff967143c2259ab74e9f85e553e57bea76657d7abc819d9abaa55bf64e8a800c920cc1361ef

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
71KB

MD5
a3ee93e69583baa9ef3bc7cac5b59a5e

SHA1
e63d116945c0a7660f2127dbbd21a18eeedf0bfa

SHA256
d0df60597648ca3400b85c0c59e0764daaa4b1d155639f175ba16499549337bd

SHA512
1ba2f13c69c9f21333e7506a6ae8064dc6f51205f0de148c2f2f4d53170a84f82dad123389e56e7acfb4d40355dda7451315e8291ab666440d86aa4d9e806999

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
73KB

MD5
d84bcf20abd625b43ae998c9f333b20a

SHA1
2b5c3832e329d9947a4bdec0df3701d3725242f4

SHA256
675128d16d983445637735920ebad921fbbd886e406369e649a7a60a9302e8ea

SHA512
d07a1999229e9d6bd7979d6153eca750a128052fd94f3e5f24d109cb5d0befc5e77e2c77854d8b9c5b2d450058a320041b70efcc50b004b9557e0ee0e30d011d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
74KB

MD5
40bed1bda6ecdf92482bfb6861ecb944

SHA1
77c4de3342cc1901186a4d65114087262cb54d0a

SHA256
2ccc8131401f16e0ad9aa7907bbc655051e9acce66f261e237760b09c0c402cf

SHA512
90b59538b4685dc77c838a477882ddfb565b4b70c49ec9aee4ff19866713dd5bf49715f7ae8308eeb7e35323eea0a1360e22c63f55a2dc181e26756ceff576dc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
76KB

MD5
70f9973894b3675e2dcf38c28f13a267

SHA1
c445c3498dbcce38869897834339f55b8c17c648

SHA256
235abb1152435c3b7778ee68ffb92a468f6b73f8e763114423195f02803cb36d

SHA512
28f02c7dde69e0e32733b962317980ed1c215bc7468c62178a8e0b587598d5b29b63235fa35a915feebe0e3978a1018ef014dadb2d481b9f97e6eaf9475d1ac9

Download Submit
memory/220-1-0x0000028C915E0000-0x0000028C91602000-memory.dmp

Filesize
136KB

Download
memory/220-2-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmp

Filesize
10.8MB

Download
memory/220-6-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmp

Filesize
10.8MB

Download
memory/220-0-0x00007FFD3E633000-0x00007FFD3E635000-memory.dmp

Filesize
8KB

Download
memory/4160-11-0x00000285783A0000-0x000002857844A000-memory.dmp

Filesize
680KB

Download
memory/4160-406-0x0000028577D50000-0x0000028577D5A000-memory.dmp

Filesize
40KB

Download
memory/4160-12-0x0000028578450000-0x00000285784C6000-memory.dmp

Filesize
472KB

Download
memory/6876-182-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/8768-42-0x0000000075120000-0x0000000075159000-memory.dmp

Filesize
228KB

Download
memory/8768-41-0x0000000075120000-0x0000000075159000-memory.dmp

Filesize
228KB

Download
memory/10820-410-0x0000024CC0100000-0x0000024CC0200000-memory.dmp

Filesize
1024KB

Download
memory/10820-415-0x0000024CC0DF0000-0x0000024CC0E10000-memory.dmp

Filesize
128KB

Download
memory/10820-431-0x0000024CC0D90000-0x0000024CC0DB0000-memory.dmp

Filesize
128KB

Download
memory/10820-430-0x0000024CC1500000-0x0000024CC1520000-memory.dmp

Filesize
128KB

Download
memory/11288-191-0x0000022D74300000-0x0000022D74320000-memory.dmp

Filesize
128KB

Download
memory/11288-214-0x0000022D74740000-0x0000022D74760000-memory.dmp

Filesize
128KB

Download
memory/11288-183-0x0000022D74340000-0x0000022D74360000-memory.dmp

Filesize
128KB

Download