hxxp://normalnastrona[.]rf[.]gd

Resubmissions

05/09/2024, 16:31

240905-t1cymsvhne 4

05/09/2024, 16:27

240905-tybb2avhjg 6

Analysis

max time kernel
198s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://normalnastrona.rf.gd

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	discord.com
75	discord.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{BA9CC2D2-278D-4541-A588-8D0C6B6B75DC}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
760	msedge.exe
760	msedge.exe
3152	msedge.exe
3152	msedge.exe
3412	identity_helper.exe
3412	identity_helper.exe
3820	msedge.exe
3820	msedge.exe
4632	msedge.exe
4632	msedge.exe
5920	msedge.exe
5920	msedge.exe
5860	msedge.exe
5860	msedge.exe
4080	msedge.exe
4080	msedge.exe
6048	msedge.exe
6048	msedge.exe
5740	msedge.exe
5740	msedge.exe
6008	msedge.exe
6008	msedge.exe
3604	msedge.exe
3604	msedge.exe
4848	msedge.exe
4848	msedge.exe
5528	msedge.exe
5528	msedge.exe
4520	msedge.exe
4520	msedge.exe
1744	msedge.exe
1744	msedge.exe
4580	msedge.exe
4580	msedge.exe
5192	msedge.exe
5192	msedge.exe
1152	msedge.exe
1152	msedge.exe
4904	msedge.exe
4904	msedge.exe
6060	mspaint.exe
6060	mspaint.exe
6000	mspaint.exe
6000	mspaint.exe
1876	mspaint.exe
1876	mspaint.exe
5780	mspaint.exe
5780	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
5248	mspaint.exe
5248	mspaint.exe
2104	mspaint.exe
2104	mspaint.exe
1588	mspaint.exe
1588	mspaint.exe
3256	mspaint.exe
3256	mspaint.exe
2632	mspaint.exe
2632	mspaint.exe
4604	mspaint.exe
4604	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2416	OpenWith.exe
5004	OpenWith.exe
4808	OpenWith.exe
1464	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	684	AUDIODG.EXE
Token: SeTcbPrivilege	5808	svchost.exe
Token: SeRestorePrivilege	5808	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4820	CredentialUIBroker.exe
2332	CredentialUIBroker.exe
2104	CredentialUIBroker.exe
4992	CredentialUIBroker.exe
6060	mspaint.exe
2416	OpenWith.exe
6000	mspaint.exe
5488	OpenWith.exe
5004	OpenWith.exe
5004	OpenWith.exe
5004	OpenWith.exe
5004	OpenWith.exe
5004	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
4808	OpenWith.exe
5156	OpenWith.exe
5156	OpenWith.exe
5156	OpenWith.exe
5156	OpenWith.exe
5156	OpenWith.exe
1464	OpenWith.exe
1464	OpenWith.exe
1464	OpenWith.exe
1464	OpenWith.exe
1464	OpenWith.exe
1876	mspaint.exe
1876	mspaint.exe
1876	mspaint.exe
1876	mspaint.exe
5780	mspaint.exe
5780	mspaint.exe
5780	mspaint.exe
5780	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
5248	mspaint.exe
5248	mspaint.exe
5248	mspaint.exe
5248	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3376	3152	msedge.exe	86
PID 3152 wrote to memory of 3376	3152	msedge.exe	86
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 996	3152	msedge.exe	87
PID 3152 wrote to memory of 760	3152	msedge.exe	88
PID 3152 wrote to memory of 760	3152	msedge.exe	88
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89
PID 3152 wrote to memory of 2240	3152	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://normalnastrona.rf.gd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe5ba46f8,0x7ffbe5ba4708,0x7ffbe5ba4718
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3556 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7852 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8808 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9120 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8508 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8512 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9120 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8632 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16857834690563396416,11250253429140560413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5680

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_lubieptoszki (4).png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_ptakwspodniach (2).jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5808
- C:\Windows\system32\dashost.exe
  dashost.exe {3966544a-b6e9-49db-82d59729838c53e6}
  2⤵
  PID:4876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_ptakwspodniach (4).jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_ptok.jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_ptakwspodniach (3).jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_zlyptok.jpeg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5248

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_jaczup (1).jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_zimowyptoszek.jpeg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_lubieptoszki (1).png"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_kichajacyptoszek.jpg"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2632

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\media_images_lubieptoszki.png"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709c6f4a32b317f6487b598788b6353d

SHA1
50f44d43be9630018f0bd2acb1528df07cd05b7f

SHA256
353aff71e8cf078c88c836e66d86be266ddbe36496a597b9b5a5a87d21eae83b

SHA512
4f33792eb73a792c88e8e2dc8bef7b00a2af7b1b91f4bab0cd5076dd2cb9abbb752eb7e60a4c6204d15f9bca1562915f2468b94e5f01f79279e1e7469055f0a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ebc024cdb324eb41f33c6ec63d1458d

SHA1
f623e96981ee63c1b6879f682c4364fd5c2265e5

SHA256
23b9bd7316816043f42a80784e7f247f3afebd3dbe370fbc702189a6a0dddb1f

SHA512
6971b6430bc01a36c48bc1e41cf8c4bed65a2890837f7778a896072159940ae739d11834176cc7be6cf6fa0f2ea9e6764c30cd23beadcc88c390e5573bbad097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
102KB

MD5
b51f3ef72b6a9ae6313840d01a3be4c2

SHA1
a8d83f1c7dd479559b3ebc862bec38ce2e6e1a42

SHA256
997292de9da7a0e537684cb357a2dac807728df447a1c8e1690cc3c13b6e6a09

SHA512
6dcccd7541124cc86f3ae4203e06967a7548aaaf169912d9698b2f5d251a3e8fdcbd6d00decac2f48bfdce3bac175ff3d22c013b1dd3340388eda9f1b945e897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\03ae0658db22f33f_0

Filesize
289B

MD5
325e94622d947268197e8d6704e2d1dc

SHA1
931df76cf3a6dcc48d1ae8eb4469dbf4bf911bcd

SHA256
648fd80ac1b773eb5c45e24e419ca0877703c372415390a306aacbb9432ac489

SHA512
5530c7d9cbb5c8563946fd5e077c2d4fde4f2e75a88ce7bd37fc585946509bcafb400f14911882ea6d7006f4b7eaa6bfd686949bf243e248e202caf2df2a8db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\91514ba86a70c6c8_0

Filesize
338KB

MD5
b108443a84f9b9ea5f62141316759cb7

SHA1
fc8b5a55b313411fcbcc3192f0b2c208a0381fcd

SHA256
e70e07b12a9f209a9762a8a5343d10e3cd4115b2cd83a4ab303bc5c93bc45d02

SHA512
13aa419160a90631601de27994e57af201481af96eb596893987cdd0ca9b8f74dad060953229d68e7437ddb158b89852042887508b23cb0979a192a5de3b6c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
fb63960313a9cf5e3074cea05e13f72e

SHA1
3c8be248b7af97785c108ccbf3fc77f0e763b260

SHA256
0b755d5f8610843baa34dcc5715402af03a743d600d0ecfc94e86a9efa1bb909

SHA512
ae9444cdaf6a5dbc78d264d6afee69772585e97f214f14b18e857f89c5d204be021248237fc1094a4452309876a9b500161723315d5d9d2c5145e7f32c23a45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
546c0dcac29745ec650a205fd563ea22

SHA1
388293a50fb84af9696e6a71b49f59eed44500e8

SHA256
80fa086cd1961fb65f2498dbf1349800bd1f5e0e30edd5ff0299198cdef2043b

SHA512
e065cb68b4d3cfd9d65e8d3811289578797af3a1034947fbf546e9971abe89fe362a16b42f12eab895e3588a8dbe0182fcb441ea896a82dead66781c609b7336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d45b9319c8cc99c2cf11760f3d581b25

SHA1
0b4bb26b8ceb075db4f26793787a0aa4943e3250

SHA256
981420fa8b915b974556017b0b154955f53defab93ca0fa84b00a04c6ccad83e

SHA512
14061606c1dfd05a3be19284dd32470e0d9880c875ffece3a379d85d4a28d6526d9451df9f396b9015fa2e743f4ce07223fe73bd6fa348c416fbf280ea788fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4510c9c5cc7f45690d76d5b6866276f4

SHA1
b2314c39933b0226a3cce3de50afad849a6861bb

SHA256
e1a23006d221390dcb3944d360eeab155bded456519515088e0b04b9315c5d30

SHA512
3dc295db6d9e443b133f6f045488b14596e5cce4704433695031c443bc34d01bf852bc7e8e01ae31d6c96af1c342dea511bcce72bd15b16ac92a108734caced0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
60903a41c9f434627c44437448670422

SHA1
a84c41c4da9b3e1ce12866c447ddf0cd225c35de

SHA256
5f25a1db9653c8b7cc7bb6bd43d88b12a9b879469759246a736745c8c7d8f2c7

SHA512
54c57225e4b102c18d6539f1c89cc667d4be5b2db814971c59afbed7220d372d94e016f7dfcca97505fc9567a5958f356703be95b5f3866e1657dabaa75c97fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b51c3fe9abe98cc0f99af805a83f9426

SHA1
8b46e6f72e0221fd291bf30704a81085b2f6ce2e

SHA256
6779f6057bdb712d9325ccbfeccd4d3f8e4a1825691e3fd2ba7c2a357da34285

SHA512
32cda06ec6e5ae6241b993b26ec2f3509b68c7c17e5d8e461f70ee394f5e6e55152b0bb9af2cd097f3011517ab88875898f82962dc4c80a7a3267fc5eee15f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b41841dc356c36ac647644f0e0742bb2

SHA1
1f530ea9c7358539e0abef44c47426ab4c2b12e1

SHA256
39b6425aa67ed3adba99ed631d8bc74cbfe77b9a2ce6029d37fea5b950472fa5

SHA512
a4482a9535b5806b746668bbbff5427fbeec45275ae998d75c2afa6a3a40cc26ee176a35273141d244590ddb02ff7b2a470b28b7e2b4d4dc8c637dcedb9a55a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de9c896b48d4a22e9c017b8faaf744f7

SHA1
ac39fe0e4007a88a869b7bb0259fb98c2467ca6a

SHA256
d7c6b4468fecc5081933558744b4a8508b6bb7c56aa38c02204f13341477fb95

SHA512
2ae423707395a8c18a012d0fb2668ad37ff9a7640abca33fda2caa1e1a9384dd0c0519d1d4d9ace036df51748fa25498516501cee10aee8253d58372fe592191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2ea5c442e4448a62abc6b1b3140241b9

SHA1
c06fa185a1396989ed15d86c779773abc3c63634

SHA256
d9c2cee1beba6fc87a20a99be050d8fe43e3d25efe18ced70219152eac4da784

SHA512
c05ef37be02509eb410c12f062834c26a909c3af955072c23bafc7311c60da9bebde1bc11b7bf2364e5b839e5517f513368d2254d9d8418c60e01bbf752065ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e8340de2f6283abd05985dda170c688e

SHA1
d31f34495b1fffbd3ad5e4b1f3f85e4d560208e1

SHA256
ade159692065fe5bef2b8488cacf14cb920552bfbbb79165104cd455759940d6

SHA512
6bd80618a401cd068f7a613bb505fd39e3fc2d74bd6ee6d8bdac814ef09c531c9680a3a3d3b5c2e0b577f766df44ebdfcc44011614a8b06bd2148255d7303e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9730bb9b1e77d42673ba7f162ff597c4

SHA1
430ee99ed75dbee473b53806169cbf3f2600a255

SHA256
f4afd037177c89424966dc9dc09e93ac1f8b6f2500a7839c6659baedb06b8f65

SHA512
5befcdc95c0f5aa88f7e026984df6dae7d52461aff8551b28e74dfa90a6373c14068baefa944851dd17af18099123b34172a4fa17474f18c1287ac9242dff742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83dc80b53b44b55e9d8cc53eb585900f

SHA1
3de18a6567144320035a19aa4301b65fefeeb5da

SHA256
f28d540249c0b43b8584463d37137dda25405ea84b0cd752d4fdea230b3b77cb

SHA512
e905e477afe38d7a45439b6de53d63bb658f7013ef125aa81fa109731b1b674742d10bbbd02817996cc3755f09dda01ca5016011fb05e0aa07b2cf768f517b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
024f12207ddc79c674e278232b413653

SHA1
02428be16c8ee55bc8f904a1bfe829a8c840c219

SHA256
d60ebdae1eafec5bd7aa481a8a6b9f5772ba51bc68df769cc87ad3f094b9f6ac

SHA512
8c4b357fdd8d00b99e47992713d304dbcd46656c4cc3931394d1e772a26a4e57ea670c76650677ec00a57e14907e18730270a60795c45ca5e9ca68d65c4b906e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
494a861dfe3fb61b7f6e9a8e1f92d179

SHA1
903db9c91a888cdd2a359e921ea2c1a958228aa9

SHA256
46ffd9cec0b1524402f64218ea9584cb751cd61e56eae54ac0ad61c55273c690

SHA512
f97bfb87546ee38f100ef52f6ee6d102d05feb378a940954a1953f5dc301e6ae7a91de2b2176dcac165a61abf867e06e3e31572a378b1abd9ea2768de76e7175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f123c478c4ad6d47e0f8facad5f83bad

SHA1
186ff6756bf38e1959b00cc1708ddb4d4d1cf635

SHA256
01c43667615787bd6ed43eb7b5d2b6c3682a2a8dd853e4e74b635c943049c180

SHA512
09dfb7028931795edcbdfffbe9c847a9ae69413b9c5bb3ee27f99b1a6f7d66b85cda2a0be32e6f3a2b5adde801edc05636696ce24dd5ba0c86884f399cee2051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f8bec98851cf898dbaaddd93b4eedf54

SHA1
38457b4266be6506cbfbf0c736c18090906ffb7d

SHA256
b830d688976b5068d5c6365ef767f519244783e06dd98498834ae651ee22ede4

SHA512
7895d5e3ba6fe2fc62d3393e52598eaf1c8b9724348f76057efdc3c31e5c19ce1442828a75543914d3d6f9315b11af90d48ed99ad75804b61e9253c0f1a8f754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
d9c450c41d397ccba8356ff9bff35c34

SHA1
8af0170d25de756058f8c6110a617d5998ae8dc6

SHA256
c26065694681dc8094cd472cbe90e1834fbea3f36ee6d536026485a330728301

SHA512
3f39d155aa67c04b405ea98e8e00e009880870a5a2148cb3b8d7ae07c16d4056b3cf697b2b44abe69e68c67870cf5d5e606b09275902f44c778c3142c8f2aa0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585d6d.TMP

Filesize
203B

MD5
f97d3b431bed0a278d84bde9bcc53db3

SHA1
5c8b4a81ee779a3874e2cfc77794f3fe6e198316

SHA256
f7113701faf7dff9b0ed52b90cb6cdda4917d5a6906cd39ade7c1da5faf6ed77

SHA512
1f8f7ee01a4db1db83c6f697c5455a396bd8f0f7892e84ecf2519438993e32f8b1c09a05c918ed4018a5c773a8e16910b96b9682413f32577ef9cff34852f76b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9227b9f22517506d37e52a0f71ce33ab

SHA1
73a99e0c864cbcfefcd88aecb90e890e2ad3b887

SHA256
dcf32f623f38929824263b57bc71c681c2a55e2b54ef5064ea77c4f106091a46

SHA512
612fa408edf07df6e03432476f02029792d98234e982cff7f243a71d6248adbb2ac4b9b068b13af7cc2e5c71718a232c10da9c82af046aedbf7ae5cfee16212c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
986f32df15a9eb4389d2943479ec387d

SHA1
cdbcae5c2bf942c6063f56b12f856b3d0e257d67

SHA256
72a218542812dd99730a16901ea17a2cd8cf949c1d79960a0f943ebc1a320a3d

SHA512
29570c93e1eb8622cda5018a1abae0737f5fa177eb40ca7519599d787fe5b6a46b7c7cea38dff0adde9205eb8fda8cccc8ddb5df4610f2eda35b3cb8a7fbb569

Download Submit
C:\Users\Admin\Downloads\6fd35e33-fa65-413e-b53d-8f8871c9d361.tmp

Filesize
44KB

MD5
a13fe63a893c984a83a37dbdab9e358d

SHA1
717a2babfc4c89c7784fb2f55386d5226ce56a71

SHA256
4f52cae5b8c7483f61066eb1f41a6e47c8e5234405c007f748fd156ca023d689

SHA512
fbae5f41696f01d13e29b37c195402c18e8461a18757f8e899ddef4d0ec7dd4dd6769a26cf9e63f6a0cfbfeebfbe5d1a34cb0e802f6ce2ca90e41703fcbd0257

Download Submit
C:\Users\Admin\Downloads\media_images_jaczup (1).jpg.crdownload

Filesize
63KB

MD5
7625ec198fa4f96f2eb3f48a9792ca98

SHA1
e1b255e4029ecdca97489d39102113fe6fcd6cf1

SHA256
25539eb30a24e86165f9611f8c658617a3ab337e6c683ac788d14e7172152ef1

SHA512
598dfeccd4293990061cdc6117e96ac5d133ad60766fa81431341caa255ef3ac620bc32b7579e9a67eecf78d92d04b11015b3f37aedd1f540a246d066279ff44

Download Submit
C:\Users\Admin\Downloads\media_images_ptakwspodniach (1).jpg.crdownload

Filesize
46KB

MD5
9987455160273726f5894678429d5abe

SHA1
5291675ba62eb06953ea2543d139eb8d8ba1dd4f

SHA256
1480e09300dde94453bbf45950edbd2bcee237629c59c4930ae3dffa675ca75b

SHA512
75086a0cd7c6768c1a004871ce73e2da80a4b8b55134a881729b81067610e5fc61b5db5d9f4c1840a55f7fa74a782a8d3e33df10cb37c3d50eb6d6a560e1ae1d

Download Submit
C:\Users\Admin\Downloads\media_images_ptok.jpg

Filesize
4KB

MD5
0d9406f22c33746ab08f2ae809c4e029

SHA1
f85811fbeeb303d78ed6e029593fd80ab0c15ce4

SHA256
7b4efa4e224f9a9befa780cab54fc03cdc1bc6d90d78dda68856c1b91e26b9b4

SHA512
5d047ce63a638fa81cc526be6feb755a53a168ffe03abf602d5ab084bd3b89c93e05bbe9edf4bb42c0f960765d264272a29bdd44d1b4b1b7778171ce9fe4edf2

Download Submit
C:\Users\Admin\Downloads\media_images_zlyptok.jpeg

Filesize
8KB

MD5
abcd67add008164a9e8a6fdda7c44110

SHA1
9dd2e268b07b080a6c18df73d5313e4b8ca1ef0e

SHA256
f31abee6629248b05f89c5b8d40f3180f207c0b5263a1dccdbcb5a9b65f27a8f

SHA512
d3d55e8cbd198bd3c5c7d76e47774aaa347413ddae78e1f17cfccb2c99ce6ce1392a9747b551d526fe272a12ba6c7a5819d6edb5df9f7c3643bcc0cc70e1c23c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
ca4cb2a6ca38fe0f8a695edcdafd849b

SHA1
a8faa1948e24c1c48547c9963209563aa6f318f1

SHA256
b9e7a0d96fc67d4da2e636f0a33c2c38fc164523567b0ecf49764d09bc8fa180

SHA512
18de243b8bf5434bd19befacd3f7a6d281dcf8d511dca2c3220f68b20648a4a0ae1cdd640edd20063e3434f7c747a8fa2184d65f5cf1f79b9071988be7923f40

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
e41995979571e3ce14231408bd4e05d6

SHA1
23aab0bc67571434de743ecb9e4b36a38656be9f

SHA256
c4a80c59cdd66bba663d589785be2cc8124441524c77a9a5bbe58b17625dc119

SHA512
010f817ed2f434c983082277c483d58516ae4691c730ccd762c22b8d850108f17ed7edcb53d68067ff835eb63d1ecf0a54bbef8d2cae8032f1ad35987f09302f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
ce291995db58c54854d2c02b6544c42f

SHA1
a13c983fb733b2ed4c78ff67c219783e32bc28a1

SHA256
99aa2b2e6523e7bc963121b386255467e4f2b4f7c6847cd47b209f3743ca457e

SHA512
b48aac8ebb1d0db6a95642c4e2e6039ab164433e0e1cd2a0f23e4056b678e7ad34a4741a5bb8871b9e923731b883a4ac05ef96e38894df91b7f957d8dcfc8a04

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
63e32a339308f9aececa2603a18cdaaf

SHA1
414c8dea7af7ee2b0651cf180e44ed18a4d1f93f

SHA256
090bf4aafcff334dff8faee6c3bc90c63db6f51c1adb2f34f65eb10f848868a0

SHA512
cd06804e119b773670f6202496b2483e819c84221b0205a93f1373ee73bf6addce62f26c0e19b2dba230066616ec71fb7c0da9b00b6c39769dacb96ff31df983

Download Submit
C:\Windows\debug\WIA\wiatrace.log

Filesize
19KB

MD5
f89e9441c92affbc4f34f7f730ceab30

SHA1
b51cbb6c613dad980f56223a2a078791cb776c86

SHA256
666ab6e04049bd6e18934a26baa958c8abe6eef11425b6ab61460ca572eaef78

SHA512
aff2e4d1ba0e02da01c876abbc9e010a9ccfefce96783d3567148f51b5386bd0a286ce506f19715de70fb73e9d1bad054efd10509a18e4ee397bfb2fed23032f

Download Submit
memory/5608-779-0x000001F7A3B60000-0x000001F7A3B70000-memory.dmp

Filesize
64KB

Download
memory/5608-798-0x000001F7ABF80000-0x000001F7ABF81000-memory.dmp

Filesize
4KB

Download
memory/5608-797-0x000001F7ABF80000-0x000001F7ABF81000-memory.dmp

Filesize
4KB

Download
memory/5608-796-0x000001F7ABF70000-0x000001F7ABF71000-memory.dmp

Filesize
4KB

Download
memory/5608-795-0x000001F7ABF70000-0x000001F7ABF71000-memory.dmp

Filesize
4KB

Download
memory/5608-794-0x000001F7ABEE0000-0x000001F7ABEE1000-memory.dmp

Filesize
4KB

Download
memory/5608-792-0x000001F7ABEE0000-0x000001F7ABEE1000-memory.dmp

Filesize
4KB

Download
memory/5608-790-0x000001F7ABE60000-0x000001F7ABE61000-memory.dmp

Filesize
4KB

Download
memory/5608-783-0x000001F7A3BA0000-0x000001F7A3BB0000-memory.dmp

Filesize
64KB

Download