babcb0c8311a89a4c9fc4cebcb7d267fe51cfa5991e2058425a61a316db51f07

Analysis

max time kernel
301s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Multi MS Teams.exe
Size

4.8MB
MD5

0d06f074b3abfe064bedaa0263dd33be
SHA1

643d17c2ecaf1b388ff5691edf922e5e2fcb061f
SHA256

babcb0c8311a89a4c9fc4cebcb7d267fe51cfa5991e2058425a61a316db51f07
SHA512

41b104ca73a197361e62151d1e6305dec9ffda67b56b3c069f3800b32b3bb54d4d56f68c2edda33fd1576a8f624ec2ddb3679eb7c715e6997e1bc4e078eb0ab0
SSDEEP

24576:iPyp4eiMomBl00w9wu3gJL4t7qDL2PfrR9ADpQ3x2v8MgVUt+Wbn0TpqCILgKagm:6yp1ibPrwirmpQ3x2v8MgVknq/lkmwi

Score

8^/10

microsoft discovery persistence phishing

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

windowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exe

pid	process
3912	windowsdesktop-runtime-3.1.29-win-x64.exe
5524	windowsdesktop-runtime-3.1.29-win-x64.exe
5592	windowsdesktop-runtime-3.1.29-win-x64.exe
1708	windowsdesktop-runtime-3.1.29-win-x64.exe
5344	windowsdesktop-runtime-3.1.29-win-x64.exe
3228	windowsdesktop-runtime-3.1.29-win-x64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

windowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-3.1.29-win-x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-3.1.29-win-x64.exe

Loads dropped DLL 18 IoCs

Processes:

windowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
5524	windowsdesktop-runtime-3.1.29-win-x64.exe
1708	windowsdesktop-runtime-3.1.29-win-x64.exe
5848	MsiExec.exe
5848	MsiExec.exe
6120	MsiExec.exe
6120	MsiExec.exe
5516	MsiExec.exe
5516	MsiExec.exe
5044	MsiExec.exe
5044	MsiExec.exe
4004	MsiExec.exe
4004	MsiExec.exe
5372	MsiExec.exe
5372	MsiExec.exe
5764	MsiExec.exe
5764	MsiExec.exe
5836	MsiExec.exe
5836	MsiExec.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exewindowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{837cb723-adb7-44ab-9d5f-35cc2cb962eb} = "\"C:\\ProgramData\\Package Cache\\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\\windowsdesktop-runtime-3.1.29-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{837cb723-adb7-44ab-9d5f-35cc2cb962eb} = "\"C:\\ProgramData\\Package Cache\\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\\windowsdesktop-runtime-3.1.29-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-3.1.29-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exewindowsdesktop-runtime-3.1.29-win-x64.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\pt-BR\System.Windows.Forms.Design.Editors.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Net.HttpListener.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\Microsoft.Win32.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\ru\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\ja\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\it\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Reflection.TypeExtensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Diagnostics.TraceSource.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\Microsoft.Win32.SystemEvents.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\tr\System.Windows.Forms.Design.Editors.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\zh-Hant\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\tr\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Net.WebHeaderCollection.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\fr\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\pl\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Xml.Serialization.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Collections.Immutable.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\UIAutomationTypes.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\fr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\PresentationFramework.Classic.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\zh-Hant\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\fr\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\de\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\System.Configuration.ConfigurationManager.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.IO.FileSystem.DriveInfo.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\ru\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\tr\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Xml.XPath.XDocument.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\mscorlib.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\zh-Hans\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\tr\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Data.DataSetExtensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Private.DataContractSerialization.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Memory.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\ja\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\UIAutomationProvider.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\D3DCompiler_47_cor3.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Xml.ReaderWriter.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\cs\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.Web.HttpUtility.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\SOS_README.md	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\fr\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\System.IO.IsolatedStorage.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\es\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\.version	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\tr\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\pt-BR\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.29\mscordaccore.dll	msiexec.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 3.1.29 (x64).swidtag	windowsdesktop-runtime-3.1.29-win-x64.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\PresentationFramework.Luna.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\it\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\it\System.Windows.Forms.Design.Editors.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\ru\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\es\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\zh-Hant\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.29\ja\PresentationFramework.resources.dll	msiexec.exe

Drops file in Windows directory 43 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e57f8b4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5681.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABDF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BF.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f8ac.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C6B563F3-DC40-415D-B362-910995EE5561}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f8a8.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f8b0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI999A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f8a8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f8ac.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EFE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI547C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA45A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5343.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f8b3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB103.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D8202713-FF61-4234-AE5F-0CA554EDC52B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2653.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f8b4.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6A280A78-51BD-4C80-8E58-EA2136AAA5F3}	msiexec.exe
File created	C:\Windows\Installer\e57f8b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI987F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1103.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f8b0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB027.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f8ab.msi	msiexec.exe
File created	C:\Windows\Installer\e57f8af.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI417E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9206.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAECE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22A8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2AA2F795-2ED6-4E8B-85CE-EBD5F0BD744D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5818.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe

Modifies registry class 64 IoCs

Processes:

windowsdesktop-runtime-3.1.29-win-x64.exemsiexec.exewindowsdesktop-runtime-3.1.29-win-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_24.116.31617_x64	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\597F2AA26DE2B8E458ECBE5D0FDB47D4\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\Dependents\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6922F2FE7185F23422D809C82AC95029	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\ = "{837cb723-adb7-44ab-9d5f-35cc2cb962eb}"	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_24.116.31617_x64\Dependents\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\597F2AA26DE2B8E458ECBE5D0FDB47D4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\87A082A6DB1508C4E885AE1263AA5A3F\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_24.116.31617_x64\Dependents	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_24.116.31617_x64\ = "{C6B563F3-DC40-415D-B362-910995EE5561}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\Version = "410286977"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87A082A6DB1508C4E885AE1263AA5A3F\ProductName = "Microsoft .NET Core Host - 3.1.29 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\597F2AA26DE2B8E458ECBE5D0FDB47D4\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{2AA2F795-2ED6-4E8B-85CE-EBD5F0BD744D}v24.116.31617\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3F365B6C04CDD5143B26199059EE5516\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_24.116.31617_x64	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87A082A6DB1508C4E885AE1263AA5A3F\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_24.116.31617_x64\Dependents\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3172028D16FF4324EAF5C05A45DE5CB2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\SourceList\PackageName = "windowsdesktop-runtime-3.1.29-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\597F2AA26DE2B8E458ECBE5D0FDB47D4\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_24.116.31617_x64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\43044FE5CC659764AB52CA7C31E07352	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D8202713-FF61-4234-AE5F-0CA554EDC52B}v24.116.31617\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DBF85E355925492400B33FEADFDDFE9F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_24.84.30622_x64\Dependents	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_24.84.30622_x64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_24.116.31617_x64\Dependents	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2D3244907645F7D5315E68CCF159655F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\SourceList\PackageName = "dotnet-hostfxr-3.1.29-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87A082A6DB1508C4E885AE1263AA5A3F\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{6A280A78-51BD-4C80-8E58-EA2136AAA5F3}v24.116.31617\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_24.116.31617_x64	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\ProductName = "Microsoft .NET Core Host FX Resolver - 3.1.29 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\PackageCode = "0400FB5A09F8F564991C7B51C11E8E4C"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87A082A6DB1508C4E885AE1263AA5A3F\PackageCode = "F39386F8DEC499042BB9414FFEFD8522"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_24.116.31617_x64\Dependents\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}	windowsdesktop-runtime-3.1.29-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87A082A6DB1508C4E885AE1263AA5A3F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\Version = "3.1.29.31617"	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\597F2AA26DE2B8E458ECBE5D0FDB47D4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C6B563F3-DC40-415D-B362-910995EE5561}v24.116.31617\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\597F2AA26DE2B8E458ECBE5D0FDB47D4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_24.84.30622_x64\Version = "24.116.31617"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2D3244907645F7D5315E68CCF159655F\87A082A6DB1508C4E885AE1263AA5A3F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\Dependents	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3172028D16FF4324EAF5C05A45DE5CB2\PackageCode = "2C71D3D372D6CBB4BAE0C28F3483735A"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\597F2AA26DE2B8E458ECBE5D0FDB47D4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87A082A6DB1508C4E885AE1263AA5A3F\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{6A280A78-51BD-4C80-8E58-EA2136AAA5F3}v24.116.31617\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\DisplayName = "Microsoft Windows Desktop Runtime - 3.1.29 (x64)"	windowsdesktop-runtime-3.1.29-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3F365B6C04CDD5143B26199059EE5516\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C6B563F3-DC40-415D-B362-910995EE5561}v24.116.31617\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\87A082A6DB1508C4E885AE1263AA5A3F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3172028D16FF4324EAF5C05A45DE5CB2\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\597F2AA26DE2B8E458ECBE5D0FDB47D4\SourceList\PackageName = "dotnet-runtime-3.1.29-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\43044FE5CC659764AB52CA7C31E07352\3F365B6C04CDD5143B26199059EE5516	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\597F2AA26DE2B8E458ECBE5D0FDB47D4\SourceList\Media\1 = ";"	msiexec.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 814872.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 814872.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsiexec.exemsedge.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4456	msedge.exe
4456	msedge.exe
2236	msedge.exe
2236	msedge.exe
5008	identity_helper.exe
5008	identity_helper.exe
5508	msedge.exe
5508	msedge.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5140	msiexec.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe
5220	chrome.exe
5220	chrome.exe
1888	chrome.exe
1888	chrome.exe
4696	chrome.exe
4696	chrome.exe
2552	chrome.exe
2552	chrome.exe
5780	chrome.exe
5780	chrome.exe
1760	chrome.exe
1760	chrome.exe
1856	chrome.exe
1856	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exechrome.exe

pid	process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

windowsdesktop-runtime-3.1.29-win-x64.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeIncreaseQuotaPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeSecurityPrivilege	5140	msiexec.exe
Token: SeCreateTokenPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeLockMemoryPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeIncreaseQuotaPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeMachineAccountPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeTcbPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeSecurityPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeTakeOwnershipPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeLoadDriverPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeSystemProfilePrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeSystemtimePrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeProfSingleProcessPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeIncBasePriorityPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeCreatePagefilePrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeCreatePermanentPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeBackupPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeRestorePrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeShutdownPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeDebugPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeAuditPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeSystemEnvironmentPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeChangeNotifyPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeRemoteShutdownPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeUndockPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeSyncAgentPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeEnableDelegationPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeManageVolumePrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeImpersonatePrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeCreateGlobalPrivilege	5344	windowsdesktop-runtime-3.1.29-win-x64.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe
Token: SeRestorePrivilege	5140	msiexec.exe
Token: SeTakeOwnershipPrivilege	5140	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exewindowsdesktop-runtime-3.1.29-win-x64.exewindowsdesktop-runtime-3.1.29-win-x64.exechrome.exe

pid	process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
5524	windowsdesktop-runtime-3.1.29-win-x64.exe
1708	windowsdesktop-runtime-3.1.29-win-x64.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exechrome.exe

pid	process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe
1888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Multi MS Teams.exemsedge.exe

description	pid	process	target process
PID 3776 wrote to memory of 2236	3776	Multi MS Teams.exe	msedge.exe
PID 3776 wrote to memory of 2236	3776	Multi MS Teams.exe	msedge.exe
PID 2236 wrote to memory of 1096	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 1096	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 2216	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 4456	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 4456	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5084	2236	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Multi MS Teams.exe
"C:\Users\Admin\AppData\Local\Temp\Multi MS Teams.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&gui=true&apphost_version=3.1.16
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc53a946f8,0x7ffc53a94708,0x7ffc53a94718
3⤵
PID:1096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
3⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:8
3⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
3⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
3⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 /prefetch:8
3⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
3⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5656 /prefetch:8
3⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
3⤵
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff73e3a5460,0x7ff73e3a5470,0x7ff73e3a5480
4⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
3⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
3⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6268 /prefetch:8
3⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
3⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:8
3⤵
PID:5172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
3⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
3⤵
PID:5932

C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe
"C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe"
3⤵
- Executes dropped EXE
PID:3912

C:\Windows\Temp\{77C1A5A5-264D-4ABC-8FE2-F245D1B4A210}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe
"C:\Windows\Temp\{77C1A5A5-264D-4ABC-8FE2-F245D1B4A210}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5524

C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe
"C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe" -q -burn.elevated BurnPipe.{F0C38ABF-7C09-474C-AF85-442A400453EF} {84086B92-0DBF-44F8-81EA-186EA4584E48} 5524
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe
"C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe"
3⤵
- Executes dropped EXE
PID:5592

C:\Windows\Temp\{4A30E906-630A-484A-A336-0EBBDF92EC46}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe
"C:\Windows\Temp\{4A30E906-630A-484A-A336-0EBBDF92EC46}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Windows\Temp\{08CCDBBC-9294-4B80-AE3F-7C1AD8DCAE81}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe
"C:\Windows\Temp\{08CCDBBC-9294-4B80-AE3F-7C1AD8DCAE81}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe" -q -burn.elevated BurnPipe.{F99BFE2C-DBC1-43D9-98E7-4C424ABCAF8E} {53135A97-343C-4F9D-9EAF-C78510272500} 1708
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4976 /prefetch:8
3⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
3⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6568 /prefetch:8
3⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
3⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
3⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:8
3⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:8
3⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,16591865544644182226,11228095940178595023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 /prefetch:8
3⤵
PID:5476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A0BD6E8FDDBE4371EB3EE1F104CB8615
2⤵
- Loads dropped DLL
PID:5848

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 999ADA875346817CAACF1963244560DE
2⤵
- Loads dropped DLL
PID:6120

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6BED9EFADDBA266C3FEF0C78112C394B
2⤵
- Loads dropped DLL
PID:5516

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 82CBF4D553150B2952D131D1D3ABFC7E
2⤵
- Loads dropped DLL
PID:5044

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 774C0E8BFA3094585F9CB3114C715FCF
2⤵
- Loads dropped DLL
PID:4004

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B5338E268EFDFEC60CFE10905743606C
2⤵
- Loads dropped DLL
PID:5372

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 397EB792F52F30082439C27C6A141961
2⤵
- Loads dropped DLL
PID:5764

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F9550A8D3C0034C56A1058AFB9DEAE31
2⤵
- Loads dropped DLL
PID:5836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x33c
1⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4fc64f50,0x7ffc4fc64f60,0x7ffc4fc64f70
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
2⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
2⤵
PID:5956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
2⤵
PID:572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:8
2⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:8
2⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
PID:6024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:5792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=996 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:8
2⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4016 /prefetch:8
2⤵
PID:5900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
2⤵
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,7376486188442409827,12722466095764078510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
2⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\state.rsm
Filesize
924B

MD5
3832b9112511c95118d080275adf4b56

SHA1
20b786c7ba27629a851dc7de0f6294ded24eb9dc

SHA256
376902729f654c94a1b3cc6d03d8055d5681262ddc724ff7c9ad72f7e0f2d971

SHA512
2adddef155bdbe86c9994c6fbe23f8933917f3e721cee176f441e59c13cbc9d170afb3e8168cfe48657ab917e5caaf7c40d2004d600883967d12be80c15617e1

Download Submit
C:\ProgramData\Package Cache\{837cb723-adb7-44ab-9d5f-35cc2cb962eb}\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_3.1.29_(x64)_20221003123911_000_windowsdesktop_runtime_3.1.29_win_x64.msi.log
Filesize
2KB

MD5
35cef58b5f713fc9b72b7cfa7258a84b

SHA1
bd67ef4ba502a6a838be3ffe6f7fa21c40351bdf

SHA256
2a01db00e6c69b795d9e6ea66404a9615b5e823d4d5f49a2e0f4ef1ebf4f9be8

SHA512
86cdfb2fe6ecdd237252e13a0e9b297dcce3e4a52a15d622410138d70d02f8a190b72ffde8794856d2f02b8eb91538e6bfab70b91c69da7f969d93addf632fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_3.1.29_(x64)_20221003123911_001_dotnet_runtime_3.1.29_win_x64.msi.log
Filesize
2KB

MD5
19b5ff9fdff03341158046bebf1ce5ca

SHA1
a4a44e5bdc164fa055fc3b8242ffbcb4800185a5

SHA256
80043cb11769f82b11a6f03f83d7359233dd0012ae7a44a7c2771bc4c79d90f5

SHA512
25c6294f833fa47119b4d556e24b813a5e9bfe2d015d1a7aa3f23247e1a4c1ea4c6ddf617f20ede3ed1b55ce6d73f351e5d5c8b9c30f8a03ad77fcad89931e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_3.1.29_(x64)_20221003123911_002_dotnet_hostfxr_3.1.29_win_x64.msi.log
Filesize
2KB

MD5
76547c8c9228322c7cf8110f91b3b23a

SHA1
ab2318523a35e5848279396e8154005cc3f37ea2

SHA256
c8043886b9dc39e7a6b6aca24c0a0d7bb7c37c1fd2cff409d1481387f931279f

SHA512
48f8ac92d16607dcf48a77eac339737e96169400c8a0197afd6e36c47cd5565c29cf69ae461688a6a8a38cce2663893bc57a5c2dfa4c2eb8e5dd8bd8d0a8ad1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_3.1.29_(x64)_20221003123911_003_dotnet_host_3.1.29_win_x64.msi.log
Filesize
2KB

MD5
5323159e7f120b67cab7823ed1e4706e

SHA1
e51ce6a18eb77c391120a02e5dc432a910049ae0

SHA256
270602763ebd283cd83953cc5e9c3d6e7c46f4e2daa17855f6d8f9aaa08d3e8f

SHA512
2cbe76e453883c33acbc99b00ab99694cd2c8ade7569907ba95850e5bc8e7e9e4c02b7dbfbdfa8d67bef96727bf5662b2a84daacfd2c35a003ca090a63846569

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_3.1.29_(x64)_20221003123913_000_windowsdesktop_runtime_3.1.29_win_x64.msi.log
Filesize
2KB

MD5
c7f3a9d4b582454c59e47c538bc1e6d2

SHA1
296f5d6664c079a9a30a7e1bacc9b2ce20ae1007

SHA256
28643c25957375eb048e1c74cb8a77c1dd23476c312ecf633fb91164030a9215

SHA512
57a855f9f87cc893fea0b311ae0ef23b7944c6481991c03bdda08eb9190449522449dd321e94a67a492b601cb6254baecb9ad4ab1397c8e14165fa5d829105d7

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
52.4MB

MD5
74ed1bc81e554e6488edda1f685a441e

SHA1
c07c6ed7f11fe2d8f6e3ffb4416937bd32b5ff10

SHA256
fc7466dc2b5e047aba57eceee43cf317124f242767efeb7adca9e05e9ea2a8b1

SHA512
de49ecf60d9fb799c7f6b84cc2d423d7ce87d817068be67f82875c2eca3113bf61c40a991600957491e36dd7fb21fb156584f249a4b79c4fefdea4460da814db

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
52.4MB

MD5
74ed1bc81e554e6488edda1f685a441e

SHA1
c07c6ed7f11fe2d8f6e3ffb4416937bd32b5ff10

SHA256
fc7466dc2b5e047aba57eceee43cf317124f242767efeb7adca9e05e9ea2a8b1

SHA512
de49ecf60d9fb799c7f6b84cc2d423d7ce87d817068be67f82875c2eca3113bf61c40a991600957491e36dd7fb21fb156584f249a4b79c4fefdea4460da814db

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
52.4MB

MD5
74ed1bc81e554e6488edda1f685a441e

SHA1
c07c6ed7f11fe2d8f6e3ffb4416937bd32b5ff10

SHA256
fc7466dc2b5e047aba57eceee43cf317124f242767efeb7adca9e05e9ea2a8b1

SHA512
de49ecf60d9fb799c7f6b84cc2d423d7ce87d817068be67f82875c2eca3113bf61c40a991600957491e36dd7fb21fb156584f249a4b79c4fefdea4460da814db

Download Submit
C:\Windows\Installer\MSI22A8.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI22A8.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI2653.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI2653.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI417E.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI417E.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI4E60.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI4E60.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI547C.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI547C.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI5681.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI5681.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI5B07.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI5B07.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI9206.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI9206.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI999A.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI999A.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI9BF.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI9BF.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Temp\{08CCDBBC-9294-4B80-AE3F-7C1AD8DCAE81}\.ba\wixstdba.dll
Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{08CCDBBC-9294-4B80-AE3F-7C1AD8DCAE81}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Windows\Temp\{08CCDBBC-9294-4B80-AE3F-7C1AD8DCAE81}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Windows\Temp\{4A30E906-630A-484A-A336-0EBBDF92EC46}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Windows\Temp\{4A30E906-630A-484A-A336-0EBBDF92EC46}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\.ba\wixstdba.dll
Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\.be\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\dotnet_host_3.1.29_win_x64.msi
Filesize
736KB

MD5
6a63c72c9311f5107aca53aa1b0ab82e

SHA1
da718b6f54bee342694eee3dc7304c1c86e0e5f3

SHA256
7289f1bb2f0c49afed6fd95fde742302fe3b23da75175654078004d05e54d858

SHA512
1d3fcca375b546568d6c9d2a0c8ac07c0fa4a14e68fccdc25e3cd779b62091c73a1bd10e52660d6fb6594f5a866cf9a8d497116c584d75e1a585f2e5452dd4af

Download Submit
C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\dotnet_hostfxr_3.1.29_win_x64.msi
Filesize
876KB

MD5
38c6201a9cf46eed3c8664bc75f534ac

SHA1
b55f9a8cfbe1257621de470c22a3ec493f207797

SHA256
cdb7cd6210e39015bed1d2d051f2c455a7287c3960bf69eae3c06e027b67da37

SHA512
ac0e2e7c87efeeea1cafa6920fdca0b6e647751672cf8ef001945544ac5996185b8e75c1146b6859c571c5ad0fbebfb2a4fe8bef1e0bbcc577f53b8559bf4644

Download Submit
C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\dotnet_runtime_3.1.29_win_x64.msi
Filesize
24.2MB

MD5
82f944566f2d1df073ecc3bd843c6cdd

SHA1
e6192be40cf181afc8c3512e06a7477c1b92aa12

SHA256
79906cbee695523e0eeee01e925ac1a82e66f9a062d15061639fc2f2b7f3af53

SHA512
73313e59003b263a8768dcd8fc71edf5467ecd29baf62874a5552e61343b1db70567b2f626cce9fafb80c8da370d2c144d214b47d8e114c944b18cf748980990

Download Submit
C:\Windows\Temp\{6850E3F3-4F90-4340-8C37-56382989D928}\windowsdesktop_runtime_3.1.29_win_x64.msi
Filesize
27.7MB

MD5
c96d6f10505e7a6a4ad7c5fbec4c5ff1

SHA1
8274a381ce649ed53d90b0c741b949811f61cd05

SHA256
2e6dc4742e622135a71f10e8e7567bf08ceae04f2c54dd9b54dbb097d4295cf4

SHA512
77f3af463336d0901b92e6e5dc160dfbff34eb4398c213c14b7184869c172acb2e1a04c25fb65ded5e7f6caf99139665afbd38a4b2126a83868622a7518c3bec

Download Submit
C:\Windows\Temp\{77C1A5A5-264D-4ABC-8FE2-F245D1B4A210}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
C:\Windows\Temp\{77C1A5A5-264D-4ABC-8FE2-F245D1B4A210}\.cr\windowsdesktop-runtime-3.1.29-win-x64.exe
Filesize
607KB

MD5
a7348bbc90ccf1c31e6a5e4112fcd23f

SHA1
6a89bdb2c2dabe933af8b3093f05a4222ad75258

SHA256
5ebad409ba4ce6a335adbe73eb3bf109de28afe662dfe9c87531620f71d3db3b

SHA512
7e725ce3c523f6005f29bb87a57ce0cd4a26cd10d16c457722e63b04baefada4b4d76ad6395179ed70c466374ad4ec4a2fd3622d32230424105487e6e6967250

Download Submit
\??\pipe\LOCAL\crashpad_2236_LSNQEPMQOCSSQBTK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1096-133-0x0000000000000000-mapping.dmp

Download
memory/1288-149-0x0000000000000000-mapping.dmp

Download
memory/1288-151-0x0000000000000000-mapping.dmp

Download
memory/1668-160-0x0000000000000000-mapping.dmp

Download
memory/1708-177-0x0000000000000000-mapping.dmp

Download
memory/1724-158-0x0000000000000000-mapping.dmp

Download
memory/2216-135-0x0000000000000000-mapping.dmp

Download
memory/2236-132-0x0000000000000000-mapping.dmp

Download
memory/2268-238-0x0000000000000000-mapping.dmp

Download
memory/2284-150-0x0000000000000000-mapping.dmp

Download
memory/2768-145-0x0000000000000000-mapping.dmp

Download
memory/2960-156-0x0000000000000000-mapping.dmp

Download
memory/3188-147-0x0000000000000000-mapping.dmp

Download
memory/3228-215-0x0000000000000000-mapping.dmp

Download
memory/3824-216-0x0000000000000000-mapping.dmp

Download
memory/3848-240-0x0000000000000000-mapping.dmp

Download
memory/3912-168-0x0000000000000000-mapping.dmp

Download
memory/4004-222-0x0000000000000000-mapping.dmp

Download
memory/4076-154-0x0000000000000000-mapping.dmp

Download
memory/4424-143-0x0000000000000000-mapping.dmp

Download
memory/4456-136-0x0000000000000000-mapping.dmp

Download
memory/4540-141-0x0000000000000000-mapping.dmp

Download
memory/5008-152-0x0000000000000000-mapping.dmp

Download
memory/5044-209-0x0000000000000000-mapping.dmp

Download
memory/5084-139-0x0000000000000000-mapping.dmp

Download
memory/5172-162-0x0000000000000000-mapping.dmp

Download
memory/5268-164-0x0000000000000000-mapping.dmp

Download
memory/5344-181-0x0000000000000000-mapping.dmp

Download
memory/5372-227-0x0000000000000000-mapping.dmp

Download
memory/5424-229-0x0000000000000000-mapping.dmp

Download
memory/5476-242-0x0000000000000000-mapping.dmp

Download
memory/5508-165-0x0000000000000000-mapping.dmp

Download
memory/5516-203-0x0000000000000000-mapping.dmp

Download
memory/5524-171-0x0000000000000000-mapping.dmp

Download
memory/5592-175-0x0000000000000000-mapping.dmp

Download
memory/5684-232-0x0000000000000000-mapping.dmp

Download
memory/5764-230-0x0000000000000000-mapping.dmp

Download
memory/5836-231-0x0000000000000000-mapping.dmp

Download
memory/5848-189-0x0000000000000000-mapping.dmp

Download
memory/5896-234-0x0000000000000000-mapping.dmp

Download
memory/5932-167-0x0000000000000000-mapping.dmp

Download
memory/6060-236-0x0000000000000000-mapping.dmp

Download
memory/6068-199-0x0000000000000000-mapping.dmp

Download
memory/6120-195-0x0000000000000000-mapping.dmp

Download