toxiceye | hxxps://mega[.]nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0

Analysis

max time kernel
181s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0

Score

10^/10

toxiceye discovery evasion rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendMessage?chat_id=5597821522

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 2 IoCs

pid	Process
4384	TelegramRAT.exe
3420	rat.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
64	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1576	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\ToxicEye\rat.exe\:SmartScreen:$DATA	TelegramRAT.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 847824.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3628	schtasks.exe
1892	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3420	rat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
4880	msedge.exe
4880	msedge.exe
4652	identity_helper.exe
4652	identity_helper.exe
1440	msedge.exe
1440	msedge.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe
3420	rat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1140	AUDIODG.EXE
Token: SeDebugPrivilege	4384	TelegramRAT.exe
Token: SeDebugPrivilege	64	tasklist.exe
Token: SeDebugPrivilege	3420	rat.exe
Token: SeDebugPrivilege	3420	rat.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3420	rat.exe
744	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2284	4880	msedge.exe	83
PID 4880 wrote to memory of 2284	4880	msedge.exe	83
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 4784	4880	msedge.exe	84
PID 4880 wrote to memory of 740	4880	msedge.exe	85
PID 4880 wrote to memory of 740	4880	msedge.exe	85
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86
PID 4880 wrote to memory of 4716	4880	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd70fd46f8,0x7ffd70fd4708,0x7ffd70fd4718
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Users\Admin\Downloads\TelegramRAT.exe
  "C:\Users\Admin\Downloads\TelegramRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1930.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1930.tmp.bat
    3⤵
    PID:4596
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 4384"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:64
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4180
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1576
  - - C:\Users\ToxicEye\rat.exe
      "rat.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3420
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1892
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:2876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:1968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3948
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:1752
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:744
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:3600
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:3936
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:2272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3856
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:2492
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4760
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:3908
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:2536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3472
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:4644
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:1428
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:2824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:404
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4384
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:1904
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:4800
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5132
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:5172
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5188
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:5240
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5300
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5352
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5392
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5424
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5444
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5460
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5520
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5584
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5672
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5780
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5824
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5884
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:5916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:5984
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6044
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6104
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5292
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:2876
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:5588
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4844
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5856
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5792
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:5232
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4448
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6140
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:5076
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5828
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6156
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6268
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6332
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6396
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6456
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6496
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6544
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6644
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6740
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6844
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6936
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:6976
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:7036
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:7064
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7112
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7144
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:3776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:1040
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5404
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6376
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6780
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5288
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:4844
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5736
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:5668
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:3964
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6912
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:1592
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6576
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:5404
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:6992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7204
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7312
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7368
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:7404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7456
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:7528
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:7560
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:7580
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:7640
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:7692
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7756
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:7832
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:7876
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:7948
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:8016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:8052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:8124
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:5288
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6284
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:5808
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6592
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:7264
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6476
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6428
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7672
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:1036
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:8136
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:7692
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7172
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8024
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7408
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:2876
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6416
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:7364
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:7664
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:8104
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6280
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:8232
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:8312
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8416
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:8552
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:8668
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:8716
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:8780
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8808
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8880
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:8928
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8956
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:9012
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:9088
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:9168
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7216
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:5980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:2568
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:7644
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:8764
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:8156
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:8804
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:9040
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:1304
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:9076
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:9012
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:8860
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7900
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6992
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6428
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:6476
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:8948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14340840181149970794,9830216754150851805,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3136 /prefetch:2
  2⤵
  PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b89b603dc6377d4d0df9040b75683d4f

SHA1
1bd8852c772d316f9ee1a7fc3fbbb721a07bd5b1

SHA256
d47ab88a4cd725ff5d53499fca2aab14682c1cf56b0edfb5efe65c48210014da

SHA512
87cd1ece3203d69548f1d2f16651312f12377df5083dec0f8a44182b6ad28e255837c35dc33801c4a904572b9d8054733a05a364f44ff997ff91f02367c7ff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92514578946067892761d61d0bdc755d

SHA1
2db570232b7c77bea15f2deb78cca17c51455e98

SHA256
0430bfed59e2cb33e93107035101b874e0f6e01f0969afbe90e1691575644c45

SHA512
b7d73ffbae54cea2e4eae1192028f23d2dfbcf305fd44a1ab858cfdd926f79734700ef000536c28e12533860cf1b54d86fad3ff96f6b4e341f6cd8944e55850b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c8ff0da4811c274c86423009cf10061

SHA1
845b8be1796323c97d439056d05db7346b6609f2

SHA256
b4f3db18287a277a849e95a81efb5a22670e49ab93a56434a94628efb32f0304

SHA512
41643c4886c6dec8d3daad96d6bb453e3114b061be73cbff53bf9c17ae2c5ac1b2900faf9e4c98630feeb2d5c7d832224b40fb4789d220f3c0b5fd7dc9e543e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3bd767b1cfaf7b8a7caf373061db8a2

SHA1
8bcfb26379ae4224d021b8500ed57d819ea8ba27

SHA256
32fabc81c3108edf810282c3ca921314d53b5faac43407d3a577b73e48ed7926

SHA512
7406de0ae5aeb18b9d36890ad30fa352161043a6a4adbdc9cc21b379ad3d2a222b82235d2a422775c167be66075457cd66e5283df602a466d74aa9365571c14f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3f855a7297ab51bdde4a4db764dc6341

SHA1
b9c9cc657067804066fda40ef73ed7955768a531

SHA256
3d23118a0cfa7fbf9ee14e47dd215d27e3296315efef4d6d3ca105fe15bbce7e

SHA512
cc1014574c84ae0f59f702ffc240a8e439dc58697e896d572c0fc605f191bd98af37aaf53655f5e6a49eb98948bcad7008365df0e97ce35a832fe4f1bf494035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581c0f.TMP

Filesize
48B

MD5
13e6b9b8194372d5b2dd30012bbc295b

SHA1
e7644448510141cebf90b6113250e33d9d0902a8

SHA256
ed65b1bad0691d9725c6fce3ef13329a2cf1310480eb0ea6b897abc02868b02a

SHA512
210445e66c4ab0498bc1a8ea74ce00b6078104a23337b90a187f020b3430ec1f176f5eb836d3830d24b1b9b132b3e7af77f5ec2cfcc7f45750ef0d6d2c519875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e04ae3775b178390deafbdd2551ae230

SHA1
52dc552e5ab6126d4a2feabfb24efef57cda6bea

SHA256
20918b8ef606d21ae101440edc8fd5f12b9e85e08ef2d6b7b42a16b61eb90142

SHA512
b15a7c8b06b2cd32cf05aa25c81fe38cd004c536ff9ef89afd01c57a84d655e3b60ebe8dd04c7e8ed82c371c3afba704caa4260addad094443c1ff333c8637dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
068bcae824caa3fe1a33a58e9c852134

SHA1
862197b71bd01ad61aed79f03391d28aaf7cbe71

SHA256
811e6f5891c0b0747846eedbd4663de936f2ad7d517584668ebedce7ae0f45a4

SHA512
d0ca0c06e8594d457bb8a021aae09c7a4bc2a438e0372a6cf789ec74600b247be9ad2de687fff489b8ff6e5a9a53b1c60ecb503573bcac36eb043094053876af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1930.tmp.bat

Filesize
188B

MD5
bb5d1b1722e4891b6475a79ee91e7f85

SHA1
f53a985fc45bced1e1b7e4daa5ba991ce38ea629

SHA256
7f09a20ec35a0c7a901efa32364f24f9fe02b0ce25d3189855696be47529a003

SHA512
0dc58ae3048ed8d62bd80ad38e0d987a7ead18f25a0ea4f12923ffeb349c9975e154ab230d24444a7fde07db27e4d4415f19de6d0b1371f19ddf96d969578434

Download Submit
C:\Users\Admin\Downloads\TelegramRAT.exe

Filesize
111KB

MD5
9c6f004d573a9660f4201028b795cfad

SHA1
235d54b393067c9ebceaf89c25877f8f310bb037

SHA256
3e37cefc156c265e1b048f8f59caf0e87c9bd097e9a43d4c0eeb2f05999add5b

SHA512
ddc6c0856576611329be1ca108c2d97854a6efef1bc3ad3d4266c562b8ff92a31990dbe4d3cbce57c13f733bdbfd9d3e98a8200929ced2f26b4c63743bb08ef5

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
1dbbb096c7dce3b3994ad5a072064e4c

SHA1
a212a2bffecdf98867c33d2def15cd3b1622a5d6

SHA256
d8c81153bf38a1e9913564d586f580eeb53b8d52c95deec63b4e5efe963f3c37

SHA512
6184d81bc545787c447ebce2165e4133120b2cd21a4e6ebfcf5e6f5c405a22cb2c80407fef7a5b94fedcb5039eae437f811341692c1a16c9978169dcb5c1209a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
ec54b89b4747ed76d04b313f11754451

SHA1
b386039184437ae94d1cf77197b9bbd7ff625a84

SHA256
d577735cb3f9ec922054aaba0a8fd695391f643d7b12c925a674092a96b90686

SHA512
a431f769b32091111b9d8d4b1f82d8d4317f71af6ed8e67ece508c7850f6b462ecda81ab13aafb126f3e53b1e209139c39616098bfb4b667455da832546ebf64

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
20ed1697e62bc46c3b67c8a5694b0e4f

SHA1
35ccdeb4a773dc315b3f6d4812b042226d5f2dc3

SHA256
2b0d0337052ad0088b89edd3825be4e8fc414832df8758b822c5a80ce9d2f8ba

SHA512
9d2391002cfb2c17b97b57bdc62066d84ef7482ac162998529a23d5dd7b242dbf2c7c016df450a931d60b0e72200d9cb13425c8b464d524ab8c107c66f0b98bf

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
ce0e4a58c6c56751125e23ef92790417

SHA1
4a5d69a5b204bf5e5b09aaa562dc348698f1506f

SHA256
e18fa3725e01e9b5e1fd118ba08c3fe207e9d3e39970404a81bb1a701ad9d9d6

SHA512
33c3bb52c825286976bb9e65ec5ed5fac391883f864fb6af8fbfb51b3fb7c5c91df1e068a9c66e1d2502de570feea312f97664f427695b55ca149c4302113002

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
94eece7f6aafe49d343c4bb8064c9065

SHA1
906aaf7402eda2a21ab12fd5ad4f6504aa142e3d

SHA256
c6061360717a42cc94ed752979e984549eef6d702931abe6c6732a5ff3373dd3

SHA512
4b1f7e5ffdba31f5d153b7feaed5d3d63f97443ff9608636f27f7c0286372086d0ddb6be2504fe7504e45e7a888e6600ab7504115c4bbccaed897073af1067b2

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
2835c10dcf6e5f2d08078096a0f191f6

SHA1
87387c2add1a3e8b8d80078d60fd2e3db58d408a

SHA256
112164c643cd04b2c2daff17c580cd84afd0cd72f8247260c7b64f5a8c6050dd

SHA512
764bf78bfcd73e501c215d4d495a03b618155d368bc92015c0919014c5a8c55b3888a628dce482b696638112daa63e8db5a5d28fc60df8f9f6abe251b4804146

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
f1dee5f9524bdc5e77bd6a621f837ab4

SHA1
9bc6ab031c0e3c03fc8b718d34c71bcbd66699a9

SHA256
c5bdd639c69d2c62435c3c200e3d0feb0f3f9dd54cf873fe45de87a9e089c546

SHA512
8fbdf0792449fdc483e3db4b6d5beb206ddf72b96c91af48afaf1e5c2191845edf3d875c0e54d1d2529895b531641aa463ed761e5fa0e03c85016f1d1391974c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
0be6abe82596a008669703a3ff014ec2

SHA1
c91776b24163987fa1554cc475e8eebc7d74a84a

SHA256
f35f476609107e3f4443bce4621415f4c3bcd5f1c44e31c17497bd879270d107

SHA512
92e0dc900d96695860fb60f61791714e34f44b3c43b4ebc10b1826f5ae225c3f02a72e43214cb8c6566551014bf46cd86b904cc7f7e2aecab8513688cdaea72c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
18KB

MD5
f110b3207d46e6ff3eebbc3edff29585

SHA1
4c84b5a497e5761cc90d5c4987b50b41abb9805d

SHA256
005df69b9d4212069f50d7e0c9adad35ee745284e7f658f5ada50eb7ec5a32df

SHA512
555b92aa76ae00cb48e159e66536234b1c15aa1e20f9e83cc98c8dbf4bf55d226937cf4a0603d5998a21f38b87a4392f12cca9da5c72e11e50c6a6b22e899115

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
1f952b7f94509be2a3899e7e12a5f9cf

SHA1
2a7495b7da13da74449d9002d50c79212a9497e3

SHA256
a4b2da614e845e08cdf8c2083292ffdfc6591f29a2e55b8128660177c03047e2

SHA512
776048c3f8b6475993c722675e153b9d4ae53d2a0caf587d1f45b88a531ae0eed7f370fe093a34dbf0828c492a87cfbb7d53681c214d3eff01389bcf5720ee04

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
d4c7d1ff36ae1d220b53973ab2498db9

SHA1
7c944a065026e94c30fe855d4243277bad8277b4

SHA256
8272fbec3e4c135ac7e2006ffd02e8bf1468e404085eb846d0b97dcf9b8e5993

SHA512
ed2453058947adcc5d69f49ada9b4ea5a11d3932f5fbb547d4dd78bcea5e1538a7ef74715f1b17bfcb8f9d1ee31ee1a5b298cbe259175f74344008445b49c162

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
4381fd3103f8a912ee0d125d0ae87b7c

SHA1
d82668b8570746107c3c4bd8b4409238c6848cf8

SHA256
b6012c3d407ca8dc7605cc1df08ba8f9ea7fe205d8bb74cd793439f2711cd195

SHA512
fc80fbdca5150a293df142e7597e38be3d8c7c52ccd91f435355a6fb0a979b115dc8b6cf8ad96d059006d7bbbb458ffd962a88f60ad3bbf287be01fca42164a7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
28KB

MD5
163b38aab7d5dec34a5b469f4d3b3fa4

SHA1
a0f2592b127ed5673c9b0f580909c43eba7f9b72

SHA256
cd2628025c28309856eed69a226e7d6f07d9a3f586d41e88b2a847a551f25d7d

SHA512
8aed5dec0a6cd6d5579461cf48b71fc6fe0640ac425c98a8db43b0276a719ce80ba8902d80a953d7a82a103ee68f2f6f30a10cfbc4782bcd2b3495ae72ee5bc3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
9394e0aa464aa62c22696dd3c8099207

SHA1
d873ed1052e933488b420dc6d27ad40ed807c631

SHA256
c63bc37571314f9be0b83cc0c5cc5aea7d8eb5e34202ff52ea097a6c427dff44

SHA512
5062cf2d1201999bb5b46974d987a2b1bf67f2c5e0697334a7ed51efec12e4059d8766ecce5a56076d27a4dc849e1e3ee29813adbf8cdebd7bf52eb3d5819ee7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
31KB

MD5
a18abe9987723f346888cc12507caf99

SHA1
e00992cdc2e2294c908eea3c956027bdb3119723

SHA256
da37c1af7439fa2078d8f668f6f5772169cc821f5736455e65a08bd30bd84a86

SHA512
8eece3797061b5ad2b7b9aae78f18d2cc2a90d535fb028f4c93b32aea4f10f644303e1784f7a2af7d391a6bae422afd9139d0ecaaa9efb1bd75ca005adffaa1c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
8f178573120a7dfb2ceac834042afba0

SHA1
e058763dca8d48f841954d5e07cc42e2629a1da2

SHA256
c698b8a0b0efe7a625e5703eb175414a479a6d5cae20be3e0f51f6be5121377f

SHA512
8dabe07aadefd7a99d7edecedd489ebf33690dc75bc6620cbc0e36220eabdd9afdd0ed438f12e0d2f7ad8b010ffb3d294c73f5a463157ea873674e3ee8046dc4

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
35KB

MD5
7a2fbe91a7bb88df553b711a188bfdf9

SHA1
dcef7faf06eee22f8c42f8de38a74b94395ad608

SHA256
8ede2636b5cb075409c58872ec20baf8e05d9bd3110d6952aa87788570dbc03f

SHA512
a99223f903366cac3881da25a417ace7a293eb9abb3ce44adf2dccaa7ec6d78d4d0c2082e85bdcc203047048662c05b9f77086db8e93030bbf7d500d388f0c51

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
8c20a3b135271e4494838069c71fb4c1

SHA1
049a8eb745a4567f58d369bff18347bd5be42ca1

SHA256
e182d34346f57f4535eb1a1d8c895bcf32953dc132aa53785f222a6787d07d39

SHA512
8aa17fd88a2f0af88ba0babe4a02d69405b2a645cbac0bc8349aa284f198edfee48b23823ac588eb95270c9cff9edefa0f69bfc548d9bda3833aa3d9551bfa86

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
38KB

MD5
8fdeb3c21d1d3e27515de3d2ce746388

SHA1
0f5a56a3e9d73b34ac53dcea44fb1b9696545424

SHA256
5bde94fd042a32e878e51744bd99dd36683ca5ffb5419c2b7018468ba7129fb2

SHA512
4b1d8cc26ee21e94f2b96adf224a4d57eb45e579d9e273914c5c9a2d3023e4e874017fe5741d2c6d2d15e4a29b8bce6d1d77da948ef8007c226c37545d8d241e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
41KB

MD5
a91a891dbe99daa2261501ba8aeabd05

SHA1
fb0b75df9463f2102d0d307f4f42a0e379e5df24

SHA256
058f7c93098f577bb4894b570ed636583d5f11016657fa21c4c7f539a9293031

SHA512
7a4a57c665e2de6b5291186019afe09a0fc42ae0cbc73dc8db1d80386d9300691eea6c8642df65e3d9fb550a4ad987d7dc79cdb2024c2b4441d317032e381462

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
b845b3da3f351305ca997c3b57a8a18f

SHA1
7845d6f1519c80c7a557fdc94991d32bb4c039e4

SHA256
81bfd2945204519f2dc838894e2ba731be11a9ed7214603feb507a68f4d472c2

SHA512
4c416d9e2691c9432a4c4570d94826703d6d35bc2521e1f67d9404879647c4cf8148577c27429bc418749ed935fe197aa05991e17cada780758e0023df8637e6

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
44KB

MD5
b78afb927d163c199bb88ae4e2b76ee9

SHA1
787604e95c73d02ef3da1641f5c8b203c31f6ae1

SHA256
a21e79cef189ca01713d99a6ea927e52913f5df7fcc1500fc1b5520234bfac66

SHA512
ab939d83df69bcc10856bf463b1fd2df5d7fe4b6f4cfdf6f02c27f5f188ec9e9c3540d49103e407e31e14fb7d8d1ff1da97fa0340cf0cd6eb92c53fb807e6254

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
45KB

MD5
b958e0d731a23953576cb9944567cac1

SHA1
a03dd31823097e6058526c30cff24bd8a101e918

SHA256
fc80f44a7a6f25f3e0805469e0845f800984fc2e8cdf6498a02d7673b75425b6

SHA512
618a1495f14a86fda2b37e8d26b87a5a51ef9907364c4a169b03c735d36888f6ef9e8fec83b03616b19bb5ec42dd258f7f534233c99a17b1c58ca3a77a131897

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
48KB

MD5
dedc807b37e5ac500fbfcfcf225c6ac1

SHA1
bf9b1e0a6456c12235aa825a787802b948dd4bee

SHA256
e211990d0ebddd86512f1f3f75b04ec8afe5757bd015b843a6000cd983ad0789

SHA512
f3a5047d628c6c4dc5d1bc33d19d64c33d381a44f89df80b610aebb76fedc20cf47f8319f430be586cdbff86de52879de17604719579405ef363fcfd451e03ab

Download Submit
memory/3420-226-0x000001C0D1370000-0x000001C0D141A000-memory.dmp

Filesize
680KB

Download
memory/3420-227-0x000001C0D1420000-0x000001C0D1496000-memory.dmp

Filesize
472KB

Download
memory/4384-190-0x000001C66D8C0000-0x000001C66D8E2000-memory.dmp

Filesize
136KB

Download