toxiceye | 6e644b385d296b76bb3ba68ff006d6b86de763c8b5792e07053e20e3d8218d75

Analysis

max time kernel
281s
max time network
379s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 11:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

TelegramRAT.exe
Size

111KB
MD5

e3d580a17a351366392ec9e2af674524
SHA1

354e8f441c2fa510e1b3ecab222280649a7efb9a
SHA256

6e644b385d296b76bb3ba68ff006d6b86de763c8b5792e07053e20e3d8218d75
SHA512

a7e2726a2b28a39f6624f419ab9194b4c8e3d4c117e324c2719b3f944c5262cbc064df8989d34b984d8541767327d18381adf6678e4445dc8a49afe0a0824309
SSDEEP

1536:dn+bAQACiEXM91qQIwvL9x1Cc0Di4OybhDqI64QW6zCrAZuQPEDrL:sbaCHXELrJp6bxqH4QW6zCrAZuQwv

Score

10^/10

toxiceye discovery evasion rat spyware stealer trojan

Malware Config

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
1576	rat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
134	raw.githubusercontent.com
135	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
936	tasklist.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
748	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133811543468671996"	chrome.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	calc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3164	schtasks.exe
3476	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1576	rat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
408	msedge.exe
408	msedge.exe
3720	msedge.exe
3720	msedge.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe
1576	rat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1576	rat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	TelegramRAT.exe
Token: SeDebugPrivilege	936	tasklist.exe
Token: SeDebugPrivilege	1576	rat.exe
Token: SeDebugPrivilege	1576	rat.exe
Token: 33	4652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4652	AUDIODG.EXE
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1576	rat.exe
4664	mspaint.exe
3520	mspaint.exe
4328	mspaint.exe
4664	mspaint.exe
3520	mspaint.exe
4664	mspaint.exe
4664	mspaint.exe
3520	mspaint.exe
3520	mspaint.exe
4328	mspaint.exe
4328	mspaint.exe
4328	mspaint.exe
2348	mspaint.exe
2348	mspaint.exe
2348	mspaint.exe
2348	mspaint.exe
1356	mspaint.exe
4408	mspaint.exe
1356	mspaint.exe
1356	mspaint.exe
1356	mspaint.exe
4408	mspaint.exe
4408	mspaint.exe
4408	mspaint.exe
4720	mspaint.exe
2660	OpenWith.exe
5212	mspaint.exe
4720	mspaint.exe
4720	mspaint.exe
4720	mspaint.exe
5212	mspaint.exe
5212	mspaint.exe
5212	mspaint.exe
5492	mspaint.exe
5652	mspaint.exe
4168	OpenWith.exe
5716	mspaint.exe
5492	mspaint.exe
5492	mspaint.exe
5492	mspaint.exe
2384	OpenWith.exe
5652	mspaint.exe
5652	mspaint.exe
5652	mspaint.exe
5716	mspaint.exe
5716	mspaint.exe
5716	mspaint.exe
1476	mspaint.exe
5236	OpenWith.exe
400	mspaint.exe
1476	mspaint.exe
1476	mspaint.exe
1476	mspaint.exe
400	mspaint.exe
400	mspaint.exe
400	mspaint.exe
5476	OpenWith.exe
6320	mspaint.exe
4372	OpenWith.exe
6320	mspaint.exe
6320	mspaint.exe
6320	mspaint.exe
5468	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3476	4464	TelegramRAT.exe	85
PID 4464 wrote to memory of 3476	4464	TelegramRAT.exe	85
PID 4464 wrote to memory of 392	4464	TelegramRAT.exe	87
PID 4464 wrote to memory of 392	4464	TelegramRAT.exe	87
PID 392 wrote to memory of 936	392	cmd.exe	89
PID 392 wrote to memory of 936	392	cmd.exe	89
PID 392 wrote to memory of 4824	392	cmd.exe	90
PID 392 wrote to memory of 4824	392	cmd.exe	90
PID 392 wrote to memory of 748	392	cmd.exe	91
PID 392 wrote to memory of 748	392	cmd.exe	91
PID 392 wrote to memory of 1576	392	cmd.exe	92
PID 392 wrote to memory of 1576	392	cmd.exe	92
PID 1576 wrote to memory of 3164	1576	rat.exe	94
PID 1576 wrote to memory of 3164	1576	rat.exe	94
PID 1576 wrote to memory of 3720	1576	rat.exe	112
PID 1576 wrote to memory of 3720	1576	rat.exe	112
PID 3720 wrote to memory of 2812	3720	msedge.exe	113
PID 3720 wrote to memory of 2812	3720	msedge.exe	113
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 2188	3720	msedge.exe	114
PID 3720 wrote to memory of 408	3720	msedge.exe	115
PID 3720 wrote to memory of 408	3720	msedge.exe	115
PID 3720 wrote to memory of 2128	3720	msedge.exe	116
PID 3720 wrote to memory of 2128	3720	msedge.exe	116
PID 3720 wrote to memory of 2128	3720	msedge.exe	116
PID 3720 wrote to memory of 2128	3720	msedge.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp81D2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp81D2.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:748
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2fa646f8,0x7ffd2fa64708,0x7ffd2fa64718
        5⤵
        
        PID:2812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:2188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
        5⤵
        
        PID:2128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        5⤵
        
        PID:3116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        5⤵
        
        PID:2420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
        5⤵
        
        PID:1676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
        5⤵
        
        PID:4288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5260 /prefetch:8
        5⤵
        
        PID:2656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,12467533972426679037,3032924218876524045,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 /prefetch:8
        5⤵
        
        PID:1220
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3928
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:464
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:1892
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4664
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4568
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3520
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:1008
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4176
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4328
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:4868
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3096
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4972
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2348
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2968
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1016
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4752
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1356
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4408
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:4612
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4508
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4064
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4720
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5136
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5176
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5212
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5280
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5340
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5396
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5444
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5492
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5592
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5672
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5788
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5848
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5900
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5928
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5972
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:6024
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:6052
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6132
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3136
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:400
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5648
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      Modifies registry class
      PID:5112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5528
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2880
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5932
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:5928
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4844
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6164
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6216
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6272
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:6320
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:6360
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:6388
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6464
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6556
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6604
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6720
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies registry class
      PID:6784
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6880
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6936
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:6980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7064
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:7128
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:532
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:5240
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:5192
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:6016
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:6024
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6544
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2028
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:5044
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6652
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5864
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5472
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5696
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2960
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4372
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5936
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6164
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5228
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6160
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6468
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7124
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6508
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6272
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5712
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6956
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7176
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7196
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7268
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7328
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7388
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7460
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7584
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7628
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7656
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7700
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7744
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7824
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7876
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7940
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8100
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8140
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8184
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6456
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6336
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7240
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7148
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7216
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6588
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6832
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6340
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3840
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7528
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6048
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2368
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3760
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3728
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7488
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7856
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7772
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7880
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7424
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5080
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7780
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7844
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8332
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8404
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8516
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8692
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8720
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8788
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8836
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8872
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8928
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8964
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9048
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9124
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9204
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2776
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8480
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7552
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7892
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8024
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6444
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8264
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8564
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9068
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8916
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7560
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5080
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9036
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8288
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5368
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8312
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8524
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6904
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8812
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1676
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2612
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2192
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7844
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8216
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8348
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9188
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8076
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5860
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9260
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9392
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9424
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9484
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9528
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9552
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9620
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9728
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9772
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9840
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9884
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9948
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10020
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10060
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10124
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10204
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8220
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:968
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9352
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1348
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9516
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9420
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9348
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:4288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:212
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10124
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8832
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2688
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9056
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9508
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9376
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9980
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8204
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4860
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9720
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4640
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9844
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9840
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8664
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9904
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9852
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9400
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10052
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3164
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10216
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8056
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3568
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:4852
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9384
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9748
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10260
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10316
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10528
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10584
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10660
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10692
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10792
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10892
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10936
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10964
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11048
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11092
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11200
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11228
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:408
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2688
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9592
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8288
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10244
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4700
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:372
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5124
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5252
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10464
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10772
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10260
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4012
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4984
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10480
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10756
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10536
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6516
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11200
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10256
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7160
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4172
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10304
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5968
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:11216
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9816
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6420
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7684
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6260
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:2744
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:9724
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6192
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:4832
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:6292
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8580
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7616
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:8748
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2876
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7156
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6280
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7572
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8132
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1144
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9212
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7804
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7308
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8852
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:4284
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8532
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7520
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd3664cc40,0x7ffd3664cc4c,0x7ffd3664cc58
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2000 /prefetch:3
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2200,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4352,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3664,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4040,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5248,i,3249739496238963560,14714064008546339060,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:2
  2⤵
  PID:3416

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5236

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8416

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\46505dea-d6e9-4b59-8762-9cb8b3a34c94.tmp

Filesize
9KB

MD5
74d383d67a717ce0258c23a47675a9f2

SHA1
5f0f1cf296fdbb0eb2bf37ae505e27a03a0a80d9

SHA256
dd216b4b4b7dbea97a1dd78286b300d916c965f2ff53a7afcafd42753f6f9122

SHA512
89538fdda726fe9ec0d1a42d7a5424b0f27ef34b87ca20522c5249fcf21216e30d434055ea0960c6957c3f5280a4f7cee2f3879772b68821a39d2f094d00a932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
03c7419adef1b892841aa5c6e6e18bb3

SHA1
63f871b8123b9313ac98e90577318905bd75bd93

SHA256
3c09eb4a394c0d827d66f48533d59c6a5b5efa23587e0690ef1d5d233a8f0f6f

SHA512
51adc354e59efc05bf3ac1b75454ac06fdbcf3533977d178e41ad986d2ce97ef426b4e9fbd1078c73866e7d3ac9d4735a59d372aa8b706882bad956823151e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f3a35dc9eac360f4134cbf7608695618

SHA1
d7b68df8a0f61f16e90924497df128ac75be6b64

SHA256
26c861c63c2734e2b19023fed2d85bba0ec8c4213119be6987cf02e3b070b1ef

SHA512
1f56cf1c579efca6c063944bddd30c2941e01c278eee446dc60b6aa240fad72e02794719241920f85c8f8dc0e3e27905ed10d1e22e48165010809bc426c26ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
201572cce08e592eac8ee28a65171596

SHA1
6924d5f1204cfa35dc291c9c37e7313da5a2fbfe

SHA256
f15cc81f86f0d2bbabdb3dd18b7c2537c2b27161ff14fd14f480b83a14bfc1f8

SHA512
f7b8f40aea13bbb7dd163bcf64f345ce169eadb03da7eae8d0426b764e78d03db04432db39a8a55199eeb556708b474311e23005e164f8d69e12c55ea1622cc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
026beb57f5092644868df3ab6cf20a8b

SHA1
29e915d01a0d1e43e672359356c52e55c59bcd9c

SHA256
94d46e63c3569f892ad5a083a976294ab58611652fddfa5bf21670a54d381d0f

SHA512
62231284ef3ed6f2f0b34163ad9468bc07c1940be349cf0d04954277f9a2f820e70334150a26d70e3065c8b332e3310a6d17d65ce5fbf0e45e1981ba1675ebe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
13f6fa4cbad0509f639be9f60f53085f

SHA1
fafda4b000745eba47e0219ecd5149a3c46e6a09

SHA256
223e5416db47ab559048429aa1509f0930bf333de3058bcf63480f1b07190a4a

SHA512
cbfb4e0b534cc51f35d813c8859a7d035c97eb55dd67da534989d6a36f9b1ea8f458704e8e835d8d0834de38ef4a4926490b63bed90b5967eb280b169e386d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0144a9990bb0241a0d9752525e1e65f3

SHA1
7287e7d87a9ef67dbcbc248b3405a5c940451f73

SHA256
4d60425c2f814b673af0c85cea930404583129b1aca38394c89d6e4dda113f45

SHA512
0ddf9d6ac6f69224fa8704ebb375988054523d1bdcff705ec27c61dcf20627b6e73f1ed90d5e17d046f584cc044f83d7b4cc6ac8baf809746503762c81c7f8ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
809188c158dc8a98e97d726f72a7c081

SHA1
a2e92440de48bcb911411b99fda9ce4527166815

SHA256
6133d5e8a4f791be98723ef1c42b2201f850b456fce7f90cbb961339cded855a

SHA512
e984e12724d51cb80103cb2c5a433f5d371c31133860782f5c20df0197127e3005f8706beaa25508712c830973a74af2f30862c4dcf695ab4095eb9d2777535f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85d6cd8a8d1c0a7ec15169e38a31b4a0

SHA1
75cab2c049b4bded12fce9375f54cc160b9c4177

SHA256
6eae536c59feeb44de7fb2bfd56e784cc7985b401a9757c7afc745389c7a1167

SHA512
f29f625776c24d79e8efd8436e58797c0756067926b2c99a2a968d9a5cd86a00c9e3889fba82802bfa3fceed304876e34de8dae71ea61c0929aeea225bdc0884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
714e0db4c76207d41ff844d05bdecb7e

SHA1
1e67f0a99ee35e0e986dcedd8eba3ead3aaaa7f3

SHA256
e6a5d47a4524a74e170744767fdbd1f37fba2d40e0394a5006f1f8cba33c8591

SHA512
219fd531696cf68d23a4200fb06d87baf448c2e9f5f8c3a38aaa2f301670aca3d4655760e1659cf674fb3ffbb9cee17c7327b8e099863a07bed9eef04ac8fe12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87a564bcba146ae36b73f8d4e6994bc1

SHA1
710533a71595f9745fc65eabd474244f4da1da89

SHA256
a47c07572ace4dd1be5e5bddb514cdcbc3c7a66d8bb91592c96f6f192b6458de

SHA512
c01e25738dcb9d2bd7f569124825189f057a17c5b6b2e2af32785ee55332092b4be7cb876558d01fb14cf0f1cef5c692d098f09611229a3d94684278e1164361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f71b5a8afefced25d8fad7a8df4ea5f

SHA1
646677a9f3c16a281caaf4451a1f1e2918987682

SHA256
3fb329d20c4b600db791a276b24f3e118fdaacbea75c531e1b3a51ca8990dd73

SHA512
e00202bd99f5e3184769a0454420c55e2320e2cd31f36909cd30bc4c5c6b496761816af93543ef754f6c785ba3a85faa7dbe96c213956c894480227534492e47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37d34b934e5201ed93c82ef3870cd8f8

SHA1
ba26aaaa9d4797a56f10cef4433e9feab39b0b43

SHA256
df763c2529c09189f638c4c85326e10001a555ef847c065ade318915d75e4737

SHA512
9e3659da6860abe81c6d26bd52b524ccf56659833a3814a74dd9e0075a029795d0fa8e783b809afeccb767596787a04a548e7a8bec3ba771a649d982ab51ed4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
dccc3c22516ca8ff02858fd83a3c3f81

SHA1
069da17aa89ad879a4c0e3c2f2fa4b8e4eb6813a

SHA256
aadc53ca4745d7e8932579055b7660742d54a06ee000cf99534c2653cb062e7e

SHA512
77e331e53d5390e6a8a3076bcbc383892ed0a51c18102ee9339b40b1985bf8f0b8ebaf09cff2f7de8f80237b933597b258237d591d364c4bcf0890200666d50d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e22a8309bea22fd3e615d881efdf8461

SHA1
eb942a0395414a7e8c8cc8b12da3d1210bc3bb24

SHA256
921e0059e09e47e3ecc60ce85134a85c343f1a904e7bdeaf41c98aef52fb532d

SHA512
cebb221a79d1adb8be6f1551f6159f0d87f56476327b08d527e1ec98f65217d3f98b694ada29848e34123cba33a763c7741f2120abb9daacb3c00a6cb1dddf1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
1003a2133fc596c625ff6613b9cb1467

SHA1
2ae719cc51caea1de88be989ff5bf64af24ca555

SHA256
7216c60263fb7681d05441e2165b9d1dac5d6add15d4edd183737e42eacaa679

SHA512
db35f8febd554d69ef8be5dfe33dab44eec00e49cd74132bd3c647ef3778beb14e20c6206b3067560ffc795dd867517e9bc412ace233dd4152d24d7c43e51b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
798a09790473b5d85a50e09f348db09b

SHA1
15cbb7e7c2a23d3b442a3d1c63fb937acc88f14b

SHA256
3c427a0307789468a8b3114f4ff16d485887870531cd94186bfd3d4b035ecf8f

SHA512
ccfa3334a537ac16b4dc3b6b1d462bb31307a6806ffc39cdca765cdf81f4c3c20f4d11a38af14fdcd5f72157bc1879a4970e674ca297c6fd0ea8207f56f8f6a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
1d10cd068382bea122bee8dca3484320

SHA1
7623fc013022da5a3dd3143159f133c6157af4a7

SHA256
f7996461a7f49d2245a4ebfb818b5c4826ececdd57b6494f21fbfbda40088c36

SHA512
112346930ee0831ca5913a24e16c5a7bd9ac7bf2059126522b1cf3038db214510951e3f92094868aae87f6543d1c513c184f9fb6fded62be9c8be96c186c87ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
73860fa09ab7d63b762d6f8a0c94ae44

SHA1
5e4fee9b7cdea35ecf6319864cc3bc1793273267

SHA256
ded8e7c75049f7e054ece6322a13ae972e79ae0c27b68c11988a1a73d6391706

SHA512
3463660f90be54d7be1c67726b32ed36ace57ecf440aff2ab237da2425e60a768aef8837f7ab608dac230e8e8de5eeb00c56f2f2a2b38e2da61685c527aaf971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4949fe8f315938fd2dbbea905da1a067

SHA1
683106097efdc85b16d0ad0f4b33e6079f88ca34

SHA256
0ac533f3c9adc843c500664d0a26a1bd635726f2d7477a85fb27c3973ee78e6c

SHA512
936670ca58f2dd50fa1b2c99338eceefad9b5a5cb6f00e99264a36390083967e29f5a7f4fe1015bf5ac8524e6c84df2ac3ddd37377452b8e22589e9e11560666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0ceff8c01de0364ac9f8375cbf8dbb3

SHA1
4acfb2f0f40c842d4f3c11b065d2ccd969999973

SHA256
9ffe01bead5b878fd8b1e11e0aac6106a15ac0ba087ceae2ca7fea55b19a5b51

SHA512
1ea4e7f9ae2c465dcfb6d22adea0ab06ba716ac4b7c155ddc3ec247dabeb8f244bc1bdba82491bbd581c13058fc4eff62daecce8b6efeb291c68a8f212e1e447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
384fa70b8fd409d14887edc65af76c97

SHA1
0fbdc32708c5bc61d64687450a47040355e1f498

SHA256
d051ff588c088a87988a0f6c79cd0557d802d89f37888999b2c4db195c7ab849

SHA512
c36bddd75333ea99b23a8398e78cd3ef2f0f083ba151ff5306d915412b5e9ede0301fab8caba00feceb3b835cf225e38e8e472bebc97396350feb60802d3717d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ad21a09a-8ac0-4f9d-865c-1c7fe5e0a9c7\index-dir\the-real-index

Filesize
2KB

MD5
ec72ec1c6c876cccfe76876a1ea777e5

SHA1
8a7162ff04418cfedb3b29431c8a52f8dde12aa9

SHA256
35e0320f558ce2f49af1e4f649fce6ce2afc7265a50275c1f6d0937abfd99b83

SHA512
8cf084ccc03c7595fe6dd09e4e83caa037ac9626b791a9af06fe7d1aec48073217beda73e92f62139b581674179cb93c736fbffcf5a4c93c3e3c896cf7b2af3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ad21a09a-8ac0-4f9d-865c-1c7fe5e0a9c7\index-dir\the-real-index~RFe585b0c.TMP

Filesize
48B

MD5
2255c01f53ab5b5ee88a6a77a40e14ba

SHA1
aaf70f6dd4c8f71dd46bf46cb4c9ddc8b6ae7f97

SHA256
734d3309ac7127e3e2c59e4fc3bf65055e3d5b3f888bf7f8240986d1dcbd4f42

SHA512
8d36c334ba4462f9e62193871dba4ca0fe2bd763ba1d7720c9eed9bbfeb608dc2ad950a9b658c34c9e4506d167ab622e36a90b637878bd7297410beba2b5feae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
32f2a95192c346d6e3c3ac9f8872147d

SHA1
864b10753252c39ab86a6493d03ca56df4d659fa

SHA256
2c3ff1f9b8bee95e326c38989614ab340b405a5ca39a2eb6757959c6e4c491f6

SHA512
7c8495b088ea520fce9aaa3ac76b2e19c97a8db38d006d66a0f75353329be1e8d98d68c89285f6477972ceb527f911fdb1a46ea0342ebd357ed12798ea76c3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
e599a37c3125cc9c69784d0fb0fff6a8

SHA1
e1101eceafcec876c7ad18be07c7b2a455c9d411

SHA256
991ecf196203f6879d6655188824a493646bd59b49a14b222ef47b7a1bb6f3c2

SHA512
2439c5164a6fd72a4f27f10d6277a43395723c1aa774a551e4a1bfb02d473a13e10d0854024852a6a10f70464aee9329d652f5c52008d832baeeec7b38e6cfc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
c1f1d442c4e15d5838c5a599739559a8

SHA1
22fc70d18b1fa56f8c043e313012a7a02c0ede44

SHA256
19f2ba5f6b2a0dfef094a0be462bfb8e5ed10cb58573cb60021c50af2f90e751

SHA512
110b423d0f571488e994e1e02322e441e6a441bd225238b519cb29ca688a08aa9101dd875218f1c204ced40c8a0945e5b8482f8534288575d395c9246cbfb75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
bb19f7074a5dcc0b82fe3f82e7430794

SHA1
e197e89bb9d27185a9c5e14b522d378d205387d4

SHA256
0a0a2d6a0bbbeef0195a1f9c98206d019e4e05a64c029d672421b4d3e17d75ac

SHA512
8ea6f59db25be4f47774b32cefbcec4e218e3851220b4c46514af9a1daa031ceb15e58746b1f5f7f0cfd6d3df5db08c991889726dbd9073bd2d5ed5e3b5c2b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
df24e0e7e5c8c3bb97ca231d884da702

SHA1
37a3ca560cc6b012d0deedf7d779467832941af7

SHA256
2c9813e9c6f3e246f38851f4f0eb237c2ff6898abe18f9c8e6545b8c0298fc80

SHA512
789a731684b766f0fa00f9ec96ab0586acaa625ab5eb829ba7ac93f9483d27a3a1bd75b9adfc89add7dd37b734aa3f0039bf3176e3029dcb0495a854dd5e92ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585aec.TMP

Filesize
48B

MD5
9f13528b8754537c182e16067b885740

SHA1
5be6b04a55439d4c40ada49b8129eb318774bb36

SHA256
9a4148855fcb06dd22bed4063912407b8daf8eeb22450fe1daebda86ec7a4fa6

SHA512
7c6f692a78324744b708ed6aac20e18a039553853427167806eb048c6614bdcd704e7cc4b95a4c8c80be514d0576291d8987c992959eafd387f28e66c2761f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e1d0ee7b432df9313a1a6c653d9a2eb3

SHA1
577b608274197e46d5f939806a2af3dbb41ea835

SHA256
721171ddea0f4bb525900a12f5401fc6f3ac80d44ee594c8665fb0aabb90140f

SHA512
77baa99a1c528f216273847c9a23b7ef7f24ca5d89f9b41b1a2c4fadf7be2a4f35017482d8ced484ab2b1ae72467d2b94e21206b39283dbf97e4ad5d16f95489

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fafebe8-7fda-4e0c-8f2d-a42a789b7c7f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir740_1460678822\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir740_1460678822\c872b9c3-c0d3-4b53-aa55-c00259e117f4.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81D2.tmp.bat

Filesize
188B

MD5
18e8cf46d5a3c95af87eb0deb5a95023

SHA1
773cc0d97c6f1e1fbe448a9105f18a4634f83eaa

SHA256
6cc24ae9d4401cb39a9f365d1f4dfe5878eef6262aeba4137665731c7f9217a8

SHA512
6ebd234e1221a55545ee30e0fddf695d27ef371f7c13670b9ac767ef34d536ca57dbaa3bc48ea5ebaecabd90c82408b68943422f6094f5f900887c8eb940324b

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
e3d580a17a351366392ec9e2af674524

SHA1
354e8f441c2fa510e1b3ecab222280649a7efb9a

SHA256
6e644b385d296b76bb3ba68ff006d6b86de763c8b5792e07053e20e3d8218d75

SHA512
a7e2726a2b28a39f6624f419ab9194b4c8e3d4c117e324c2719b3f944c5262cbc064df8989d34b984d8541767327d18381adf6678e4445dc8a49afe0a0824309

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
0b667e08a505aa8656151c3ec626565d

SHA1
5066133aa55aba9bea834695e7a9641d2a1c88da

SHA256
63e3f8f254a2c501a07aeecc9f693ecc1cda7a79f27b84ec132cc925e453ab1e

SHA512
eaac64296a7b778047ff9b5faca09adf36cd7ddedabd3fc48da23bf7ddd00139c1cc65fa24c3cbb41b90f33a4940aa19b9834e1140f84b32bb46227ed3faa4ea

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
2f70ed23db9be882542833894ea582ce

SHA1
b65138d26c3fc7e17c35fc234c9e888719806927

SHA256
78fb87af11be461d3ba4bbf702bd1275e946db2f352e5710a98c7e513ede1398

SHA512
7671575479ff90a2d46f0781cf135981e0976e15ec28ef54a3ffa7a92baed15a4e016d6d850055687f429b8efd95792dc8da46e6a93e43ed0250f4f1f1fb5dc7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
5b84a444573a0157fd8d8b2909669ac3

SHA1
6ad43b3a8e0844b8fab74abe2780d4f3286a9e32

SHA256
625ec0176038236c0cb45df6b9c148af377ecbf3e1c862b784e802a5797cf9cb

SHA512
dd995b28b3021798e52e367254aa4fef45a9d7e20f7bb53436b3ba5a86bd1d87d05e1245e28e9a376dc06e4d85fea831da89644d7fb0627d7830bade22005fa7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
9506087ffa4ced6371a71629ecde998d

SHA1
aaab44df6692584339d7e612e2ac433bc870ba77

SHA256
ce1b65da8f7811909436804dc8e38859c90e91afa21ca46aeac77797e947d02c

SHA512
854f715471002c684b397f9569e01f49669cb9f83dccaa0ade0ddd173b3a6a428cc55a119865186fed317965c5aeedbb56ec90160cb97b6490a61fed8e1b19a0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
13KB

MD5
5123385828e42f9d47457493798bb39a

SHA1
5d46b0ef33a7f815550d3e33ab1ed9a31897fd29

SHA256
c34851fff9c1f8723b370c6ef84b913fd5f349375274f9e743c85a869b48a572

SHA512
834f96a33b959e28b217c2c9af6bef8ab55def6ad558454234fd5a5b2cace69f0f8358deec457dbab5aac10e9f0962ef07ce8d26c01b44b8efdcf1482d87ed2c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
c2064c003e8c2521675b9006e4ec7da0

SHA1
1bdd6318482f0d98bc859110eab040960a823f49

SHA256
6f48e2ecf50177d0eb45b734f5d7293a024b28933f12a448533cef484918fa3b

SHA512
91e85bb0aa9dd2a081dc670b04c165cd036da267cbd94ae6694ce8831748e662404192c43fa728db055e2742147c942c2ef5d83c08ac7733a479b982b68d29de

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
16KB

MD5
c3ca90682e53b2610c9330100aad0d33

SHA1
a361645f27b376b127f729c2b79b62ba46342385

SHA256
ca9a4e9e9dfa15d2ea26f1d7c8e978554ac6de7941652933f3fd3da4b216ada8

SHA512
25f415d43622a8052e628dbc7e458c1485805e172a49199497801755f8715aa447fc99bc8af6c3ab733ec756c92ae7af8b80294f2d6cdc3ec2d7b633a7aedd88

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
19KB

MD5
5401cad9af13b592c0cd400a34aef925

SHA1
154121bbfd75d3f554a0ebb097b0a2a61c86f97a

SHA256
cdd4a77c73779ad889c99671a16872b77486ad8b8465245b4822878a066396ef

SHA512
5ea993c601aded09ee6e9983829a7a8252e29a94a981c0e95bd9ec136b51cb4344632d1d23f04620d3fa743d9495ec925a21d04a61320231cec45afeaf716688

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
11dbf2728d0e79631a7ab13aa6f18bd3

SHA1
a5e95e68b2157fecdcf7127739e6b7a3ccff3828

SHA256
c207f3ebbd1a5ef1c750ac3aa0a284c2cb70cd0c2e3f9ba14c35207ff17b469d

SHA512
97bb6adced9fe4272ea53cd56d50816482e939e2f138e52faf72e5a212ea15413bfba4cce5e0a3e7642ac33185debdc1fda3be08068002670ae9479f152953e3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
22KB

MD5
d024156e67d2dc21b8f435fd8a18e1fb

SHA1
001496847afdec48a97d7e35b24cb54bc7d455b1

SHA256
35db53f9caea35850f00e853e9955689c7bd37c2674572c668eacad77be33b4a

SHA512
e2e7a2fe0e6d61f5edf2d8b1a175b2c6cb9a14e43187363241b264b994c0f9b5e09aca67219d54c9734ee0ef814b897d2191b9f110e77134dd0b9a1b3b3e54ac

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
25KB

MD5
1eca478101491020ec40ec452c948a67

SHA1
76939293c87c1f7069e7c1d293e137a92377ffd0

SHA256
30a6c6a74bda61361b27936f157c8601c373fa117307c05e5d7cb35715bc5f19

SHA512
60b6ad3b1a056fa6d7e894edecccc83444a39c4b86708e524fb5253651801e0bf54b0293edbfb3642b16122e19b3f287955eb290bfd21992989655afc634404a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
27KB

MD5
0291f0c6712f721e03cd1b98ee447858

SHA1
c62c5048b7867cad4ca073c85b2eeaae8796a11e

SHA256
cf6460ef400fee6e4ecbe8d037be6b35cabd19e4df80eb7696943ed57fddf79a

SHA512
ecf35ff800e86891e36b37ce83a14716899d024bcdbcb35ea28272bf2b8fc8c14d19d4a361e2fbe430b6862b3de026a72b8a23b2b0a5fb2c256a3e7e1f441e1f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
28KB

MD5
4d5d253a6a8bb3c7557cbc8cf138eee3

SHA1
28e79ebe95812c3335dd19fb5d0719990fd758c8

SHA256
5ea3baf36affae02d241e8a16338aa7fb760c95910a8adc8e914fb66afbbf2b4

SHA512
25e7c3ea3cd997cd6db3d9318d07e15d59d6b9fb4ccbb9a5ebc6ad2ce391e3979bc080f2b81e95ceb228ff7d2d0db6691707cbb6f0e54f9785e816e5703d00a3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
31KB

MD5
79e5c611487a000e92dd7346c9f1cf95

SHA1
8819400da9fba6d6c273d10f4b8f162e81edc322

SHA256
b4538792635d274f8a4beb2a97131e83cc08245ce0329ceee448c82e327cf3e2

SHA512
d15cd1d47cdee5677d7b1474a817b6810526ae2cdf3e2106d2486a1920bed26b7467199c77613e6d6c71ce1816425642726d2c83d8ad09c8a35a9a9d1678a0f4

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
ed2e62b8dc7a134321f5ec3dc8eb3736

SHA1
65762f463af2c368cabdc44ff16579be073191eb

SHA256
3542e6a23c6c1381c48eec95706af51d5aa0fabe33386e3441fb54e582217d07

SHA512
8a82bb5e6a68d29dcc9e304347f68f902db07f6553a775db84cbe53bdad5e3fec97fb5abee2ebf370614f72f7cb206b1ff2abd68bae28ffd97b7aa5e19ba7c37

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
34KB

MD5
19e152dd0c9cc91c840101612fad9711

SHA1
ef00e10f5e8fabcf5fe2f6be83d7ad6ba366d15f

SHA256
edb4e641d3c88dea78e338f03cd6a7b4d910c96961677c162be9a4a8668a7aad

SHA512
d620ad95f4b7a7a1fdd5f9e08232cb8df7255b6b1b07563c3387bc82f0552befd060d07f0e8fb1bb0d91b86ec5596e33d5059f86d34f89703244135f484d36f0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
2bc969b2ba64a03dbb6c41972cd67472

SHA1
0340eafebd68fd29bad919aa125c7c2cbcb73256

SHA256
38ec492b71c801524a5f10a54c4a864f12d83b3a0aa5858c0840a60450208d06

SHA512
b9faf807696f69957afb0be4dd1a94e768a265e0d6ca0b00fda845c577f6c160e339654832e347c646a0a45364b567c00aadca2a4547704da71ce20a434d726e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
38KB

MD5
3b74c3db7391cc72cb45036e5f194067

SHA1
e138fed10d6e96ac9163d984324d62a7ce1d0ffa

SHA256
b2b172412b4e97565e8b739394abfd58e9eaedf72ddc76aa58db676aa0c5b3d2

SHA512
d93f2db38d424adb837dd462506479aaffacc6ad36a348a3cba847a76378db745f280a814b0f1ab786bea3098bc1080d25e9083822c3504129b2631a25c16b13

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
2d8b937404629ce2250ebbf368eda325

SHA1
90d0106cef3a5c148265d7693b8d6cd8f6ef31c1

SHA256
a5cb5b8f2edb449994680a8574b6351d04ad21e462e6c3f0164afc1d30f060b6

SHA512
a0246126ff974ae8a742e962d9ef23cd6f6612389aa7d8e153085274d41f99fb281e438e65f8c9c2e7a649763bd84b664144ff94f6d99a4ea1f5dfe634189c41

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
44KB

MD5
ad644301f9c684c7966829df24def122

SHA1
2518e2d8fc05200d1efd44c52aaf59fcd62f1c85

SHA256
2e256bc9a57646ee216e34378088f58e97684dd887a6556b579c7db136905ca4

SHA512
bb48e4f0c11c9e10d3546836fafd323cbaf09e6a5bccd918400374e0319929613bdac951de8681cc5c2122d74f1f22514ac71cc894b3226a07bd8dd1fd9c6368

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
45KB

MD5
0e5ab24dd4a84a75b0bfd801ac1c9cbf

SHA1
141ce34101a966b1be8c5ce24ec5ba1c3faa4906

SHA256
51bc3db0897bfad918a8820516453b09bbb8424a7859249f5dfb916abfbbd528

SHA512
d75bd58cf22fbfe18f5482799508cc7cd71d24c5e4ccdade1380e1f70e95b82be02c19a73f1f89bea59717efa2f6b324a3efb2b98b8997e7e3f4248b9023a963

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
47KB

MD5
91ae7f978db89d592cf9f3a886a7ba32

SHA1
a286508633f1704449744074ac388cff74e8e20f

SHA256
e336f7487a85166fe35bb203d01b44f55eb5de2355fba0c8d4700042861c59cd

SHA512
65423ddbfc654ac0d04d5ab7c8f84ea1a58e9e4bdcee272bf3dbb561efdc2ff823cf2f8d33e64836f6a154e38791eb7a9825a8af8004a50da1683606a6ee4024

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
48KB

MD5
61d9afea6d93401f84e5e7725901464e

SHA1
e2c18e5034b4851cd85472ea92f957737ed7c5a3

SHA256
44cf822817431b21cc88bf557233de459cba8a2c3bfac45c7855aa88517464d5

SHA512
e7b823b7fa9fafbb3a8beca00e70e13ff49fa329f6d43bf5d87b27ccc05412f4c749281ef9b68462b5b6ca33ef6524d0695df721a7c932e3a2235c18b6120a41

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
51KB

MD5
156039f5b9bbd958a7d77c2ccc58487b

SHA1
99a24fa5a09f1c952d7f2ed95acde30b2e032c1c

SHA256
2319c26489498b3ab8b7c5bf68415d6d19b1612229f1569529b08329f5498df4

SHA512
a68c789aa5cf4c99d940531d628be41da35d6bb99f61eab10e552d06b170da673b5833c0f10bae80e2507dc01e2658386e7ff083e50ff0a6f418a1505582f53d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
53KB

MD5
5b6fb2268dc3f56f4347cc24c8123e51

SHA1
257b6cd36395e798c1f0fd1035219d49b1d88c7a

SHA256
b92cf86a8274657282e1db7efed52e24194d9e6ca8e1bca6213d64ae6a994c5a

SHA512
1ca4aa80644c4e1a8d4bad354383d88059789764eb120472b26bc9e535686125fd483213b6070e969132668ac3aea606d34f62162d690d74d53953ecba58d813

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
56KB

MD5
bd04eeea95151dbc634d0c3a169c7b49

SHA1
20d1c665fa7dc82b5b5efb176159b7607c85f5f6

SHA256
b50a481592d631e0d051a7d30ce9d04a8a3cf98d1b920ca2a5095cb1a553f6f8

SHA512
5e286ae326eb7d546921cef0ae3991cf162567c26e61cacd043a28ab408d5812bd36cd5c09d707f1fb29e919c0d8e6f3c270238474201a1acd98460bebc9623c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
57KB

MD5
c9eb93d07dcf5e60273cc7979a4b1f7c

SHA1
40a4b248e6ba1e3c527f675273a828b762c896f7

SHA256
76f11a784dbdf5e38be8539ca6c0a2ff56556477db7bd2e97e29168682489c28

SHA512
d4e58c70a8f52b9c96fafb3dc716c1f6738f3b079891201c95dc856c1b3dca6d4418c7e4ccc0a653a54198f3db738db894c1fbf532928a4f078e9291903efb8c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
59KB

MD5
da1caa06f007c4fcb593e92740ea34c8

SHA1
c37fdd3985bcb422a74ffe9f306bddddcf8f1357

SHA256
8356dad5a02b304e81ba70938e4aa5bbe3d8e3d01e18cc01da9be667067465a4

SHA512
4d39c3d4a2aeab0cfa312e602ba2baa0b7dc7c325fde2a562f8d63fe07c28dc26c0d0979db998e9f4cfc6766d84aaa7fa713be3e739d1c1d34136c4a4d4e3d0d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
60KB

MD5
3d4ba92cb7cc11f61606146ff8b3fd7c

SHA1
62ffa104cf00e9a3e73787e706b2b3d231e33521

SHA256
29fb78d92db7b23bd57c7af7136322bd4999fa35b5cabb922faa5ea04548cb57

SHA512
c7dde6f00ed5a8ecad015f9545f77d56a78888fade6b585d1a47c41dd22269079763e4085eb443dda53a5377b3af9ed9048ae62cf49e64d2282d4f3b13052226

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
62KB

MD5
cdd8daf2c379f7795e7eee3d11aa942e

SHA1
aafae11ec03187b7d887e5d2e4029caf20b2ab67

SHA256
72d264fbebd38faa545ace4adfde4acd4b502b37d2b920c9c92dc88901345cb3

SHA512
a3879fc601e5151617badd89c05e2161acd215f4e1c34dbc2283a7a83a6205ea175fe0ec7940975d444f2cb07e1da597c5f88c385d073b247ec45c592bd668ee

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
63KB

MD5
0ac2ed7a3a9ffb551069478fba5e8e9a

SHA1
356c3896a2739a5ca129e04f681d7aeeba87d6c1

SHA256
5c8782d23f59de4ef44fc881d0a12a168f73cb5b8f3410c4a5fb4fb08443ef8b

SHA512
9cd70f170b8112debae7d4566728a64a22b9fb450e657169fb44fd74361b536c9eac28dddb7e4bfaff723d06745d6c44b9474acd9da172ee456e9f12e03dae03

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
65KB

MD5
85342d115f9cc609fa5a44964e84f83b

SHA1
749998a046a4163b7b3fb4638de9cc5ca0025f1f

SHA256
106fcf73d30a94a88ca9e442055c849526fe5ea93258b02da8a71eda2ff6418d

SHA512
123f54ff22caf2cf74a20bc80f667ec7a15b6c43b310692578f2879a9b5174e5c9d87a7712512424353009e2b043b616565a0b4c565834fa8a9ea69fb4a3a917

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
68KB

MD5
ee2fb3b44d4add60e986b9414be083e4

SHA1
ca465863474da8db4dc351895a1c79a6108ae906

SHA256
a7534da6274e3aaccc9c688f5e926c0a32f7459f09589e28fede30eb26ad3340

SHA512
edb0348fd9e28f748a6e38aa469f69257b2a847946a8e23ff9bac05c1cf62e551c79fd1e5c345d5a5eccd7d0eb95f43196024136d8e8c9601f72678cf97d2a89

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
70KB

MD5
dcc5ba316867fd56fb0d23a32e768d20

SHA1
2e0c15a59d65adb8affd00b17d98fd6f208af082

SHA256
8ff2868e8360c0ba2d0c34a6badf735e058462e298ac0d2e01236597813ebca9

SHA512
7a5286ac05d33b297cf980e1a217b6ce7f755b56e9b8915ef402ce630adc14bb9b1c36796d6e9c835c2c696b49a48d106d6f318dbb2da2ad63e030a256f8f374

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
71KB

MD5
b232664c88af0e4838bace25e27a9bde

SHA1
762bb0bbf4bbfd6b0769cc315694cc26900eaa56

SHA256
1644b0af52bd0275c78c66d9cb403d66e6146f253b8382a1d4c3e2b79b1039a4

SHA512
7eba1dc1f2ae6e43b91196db1dc9d1bf5f57d190f4d842582e6a906899a2f0c0eea7f50c6e3cb6b69cc851ff877a07e41fb6e60d7e518ccafdabf8081682babe

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
74KB

MD5
cd0eb0438fe08753b5cf722e8dc27af3

SHA1
298401686d19f7a0ec63d2eb5d619f1767a2c989

SHA256
a8e3143a9903f65cbdc15b149e027001205b431dbc8f96ac49cffba1bd72851b

SHA512
970e231835e23b43d0ed35507ebcf2261e712c648303932b0f621a35b7bfeb97e10d0f2fdc15c918731465e6183b6b1063b68e41062b53bbfef5d09daece32b4

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
ba63ca1aa9800fc75893a1b93edf08b4

SHA1
e239d198366d4d608b588bfd850a493c5466c97c

SHA256
6ad8e7121552bcecc0db86a1cc3a89d55b574173fd1be987252002c8f03b32d6

SHA512
94614dc0bd9f3cd8a0afb72ed002b4035f8237113d4f2195be5a0ca5c16742758879a3ac7631771ec59792b60efda03dc5259cfd16b22c79c11505ead0797fff

Download Submit
memory/1576-12-0x000001D6FC760000-0x000001D6FC7D6000-memory.dmp

Filesize
472KB

Download
memory/1576-11-0x000001D6FC630000-0x000001D6FC6DA000-memory.dmp

Filesize
680KB

Download
memory/1576-887-0x000001D6FC5B0000-0x000001D6FC5BA000-memory.dmp

Filesize
40KB

Download
memory/4464-1-0x000002354A630000-0x000002354A652000-memory.dmp

Filesize
136KB

Download
memory/4464-2-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/4464-6-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/4464-0-0x00007FFD35BC3000-0x00007FFD35BC5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads